RL-TR-91  -36,  Vol  lib  (of  seven) 
Final  Technical  Report 
April  1991 


AD-A236  130 


ROMULUS:  A  COMPUTER  SECURITY 
PROPERTIES  MODELING  ENVIRONMENT 
Mathesis 


ORA 


Ian  Sutherland,  Tanya  Korelsky,  Daryl  McCullough, 

David  Rosenthal,  Jonathan  Seldin,  Marcos  Lam, 

Carl  Eichenlaub,  Bruce  Esrig,  James  Hook,  Carl  Klapper, 
Garrel  Pottinger,  Owen  Rambow,  Stanley  Perlo 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED. 


91-00953 

Rome  Laboratory  IIBHIBHIIIII* 

Air  Force  Systems  Command 
Griffiss  Air  Force  Base,  NY  1 3441  -5700 

91  £  bl  0  41 


t 


This  report  has  been  reviewed  by  the  Rome  Laboratory  Public  Affairs 
Office  (PA)  and  is  releasable  to  the  National  Technical  Information 
Service  (NTIS) .  At  NTIS  it  will  be  releasable  to  the  general  public, 
including  foreign  nations. 

RL-TR-91-36,  Volume  lib  (of  seven)  has  been  reviewed  and  is  approved 
for  publication. 


APPROVED: 

JOSEPH  W.  FRANK 
Project  Engineer 


APPROVED: 

RAYMOND  P.  URTZ,  JR. 

Technical  Director 
Directorate  of  Command  &  Control 


FOR  THE  COMMANDER: 

RONALD  RAPOSO 

Directorate  of  Plans  &  Programs 


If  your  address  has  changed  or  if  you  wish  to  be  removed  from  the  Rome 
Laboratory  mailing  list,  or  if  the  addressee  is  no  longer  employed  by 
your  organization,  please  notify  RL  (COAC  )  Griffiss  AFB,  NY  13441-5700. 
This  will  assist  us  in  maintaining  a  current  mailing  list. 

Do  not  return  copies  of  this  report  unless  contractual  obligations  or 
notices  on  a  specific  document  require  that  it  be  returned. 


REPORT  DOCUMENTATION  PAGE 


orm  Approved 
OMB  No.  0704-0188 


hats  ptrmmrmm  ndu&igmtTw  hr /mtmmrg  raouaarm  mmrg  om»  mem 

■ViWnrQftdmuntt  ®no  cbt&bwtq  vdWMWQftflBkdBitf  Hoirttn  Stfdflanrnmngv^Q  Ml  biflvt  wn n  9  vy  ottbf  ms  rf  M 
alUBdHaiiMb  Mj^bqBkwtowtjtWilMdwaWMbigonHMdbMwSbiw^DhaaailaWaiwianO^BdwrdlhpBW  i!is.«T»»on 
Ogj^jg^M»MlUijgli»WaP<M  «-B  to  f  0Wfc»  c<  VUn«B»n9«  ia  »■  Pw»nrw  H«rt  nlnnP<B|9t  (070*01  M>.  WbWgan,  PC  an 


1 .  AGENCY  USE  ONLY  (Lmm  BMi) 


Z  REPORT  DATE 

April  1991 


a  REPORT  TYPE  AND  DATES  COVERED 
Final  Apr  85  -  May  90 


4.  TITLE  AND  SUBTITLE 

ROMULUS:  A  COMPUTER  SECURITY  PROPERTIES  MODELING 
ENVIRONMENT,  Mathesls 

5.  FUNDING  NUMBERS 

C  -  F30602-85-C-0098 

PE  -  35167G 

&  AUTHOR(S)  ian  Sutherland,  lanya  Koreisity,  uaryi  mcuiiiougn, 
David  Rosenthal,  Jonathan  Seldin,  Marcos  Lam,  Carl 
Eichenlaub,  Bruce  Esrig,  James  Hook,  Carl  Klapper, 

Garrel  Pottinzer.  Owen  Rambow.  Stanley  Perlo 

PR  -  1065 

TA  -  01 

WU  -  02 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADORESS(ES) 

ORA 

301A  Harris  B.  Daces  Drive 

Ithaca  NY  14850-1313 

&  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

N/A 

a  SPONSORING/MONfTORfrJG  AGENCY  NAME($)  AND  AD0RESS<ES) 

Rome  Laboratory  (COAC) 

Griffiss  AFB  NY  13441-5700 

10.  SPONSORING/MONTTORtNG 

AGENCY  REPORT  NUMEER 

RL-TR-91-36,  Vol  lib 

(of  seven) 

11.  SUPPLEMENTARY  NOTES 

Rome  Laboratory  Project  Engineer:  Joseph  W.  Frank/ COAC/ (315)  330-2925 

1 2a  DISTRBURON/AVAAABUTY  STATEMENT 

12b.  DISTRIBUTION  CODE 

Approved  for  public  release;  distribution  unlimited. 

1  a  ABSTRACT  0*—n*n 

The  Romulus  Report  describes  the  Romulus  Computer  Security  Properties  Modeling 
Environment ."  "  Romulus  is  an  environment  and  methodology  for  the  modeling,  analysis, 
and  verification  of  trusted  computer  systems,  together  with  supporting  tools.  The 
Romulus  methodology  is  based  on  a  mathematical  theory  of  security  developed  at 
Odyssey  Research  Associates.  The  theory  formalizes  multilevel  information  flow 
security  by  introducing  re3trictiveness ,  a  hookup  security  property.  This  means  that 
a  collection  of  secure  restrictive  composite  system.  Because  of  its  composability, 
restrictiveness  is  a  useful  security  property  for  large,  complex,  distributed  systems. 

Volume  I  presents  an  overview  of  the  important  ideas  and  tools  incorporated  into  the 
Romulus  system.  Volume  II  describes  the  underlying  theory  of  security  as  well  as 
Mathesls,  the  mathematical  foundations  of  Romulus. 

NOTE:  Rome  Laboratory/RL  (formerly  Rome  Air  Development  Center/RADC) 


14.  SUBJECT  TERMS 

Computer  Security,  Romulus,  Verification,  Multilevel  Security, 
Hookup  Security 


itum° 


itpncecooc 


17.  SECURITY  CLASSHCATTON 
OF  REPORT 

UNCLASSIFIED 


1 8.  SECURITY  CLASSIFICATION  1 9.  SECURITY  CLASSIFICATION  20.  LIMITATION  OF  ABSTRACT 
OF  THIS  PAGE  OF  ABSTRACT 

UNCLASSIFIED  UNCLASSIFIED  UL 


Acknowledgments 


I  would  like  to  thank  Richard  Platek,  Garrel  Pottinger,  Tatiana  Korelsky,  and 
James  Hook  for  their  many  helpful  comments  and  suggestions.  Garrel  Pottinger 
was  especially  helpful  in  checking  carefully  the  proof  of  the  strong  normalization 
theorem  in  Chapter  4.  Richard  Platek  wrote  part  of  the  Introduction. 

Very  special  thanks  are  due  to  Owen  Rambow  for  his  creative  work  in  translating 
this  work  from  its  original  form  (written  in  1st  Word  on  an  Atari  ST)  into  MjrjX, 
and  to  Donna  Simmons  and  Carlos  Maymi  for  helping  him. 

Jonathan  P.  Seldin 

Ithaca,  New  York 
April  24,  1987 


DD 


Contents 

INTRODUCTION  4 

1  TYPED  LAMBDA-CALCULUS  8 

1.1  Type  symbols  and  type  structures .  9 

1.2  The  typed  A-calculus .  12 

1.3  The  Church-Rosser  theorem  and  pure  A-calculus .  21 

2  EXTENSIONS  OF  TYPED  LAMBDA-CALCULUS  23 

2.1  Type  assignment .  25 

2.2  Type  variables  and  principal  type  scheme .  36 

2.3  Universal  quantification  over  all  types .  38 

2.4  The  power  of  second  order  quantification .  43 

2.5  Generalized  type  assignment .  47 

2.6  The  need  for  conversion  rules .  49 

2.7  Basic  generalized  type  assignment  .  52 

2.8  Extended  generalized  type  assignment .  55 

3  CONSTRUCTIVE  LOGIC  62 

3.1  The  D-calculus .  64 

3.2  Formulas-as-types  .  .  . . 67 

3.3  Adding  A,V,  and  1  (for  -<)  .  70 

3.4  Extension  of  formulas-as-types .  72a 

3.5  First  order  quantifiers .  74 

3.6  The  full  theory  of  types .  83 

4  THE  THEORY  OF  CONSTRUCTIONS  87 

4.1  The  theory  of  constructions:  natural  deduction  formulation .  88 

4.2  The  basic  metatheory  of  the  theory  of  constructions .  92 

4.3  The  strong  normalization  theorem . 114 


2 


4.4  Consequences  of  the  strong  normalization  theorem . 134 

4.5  The  theory  of  constructions:  sequent  formulation . 139a 

5  REPRESENTING  LOGIC  AND  MATHEMATICS  IN  THE  THE¬ 
ORY  OF  CONSTRUCTIONS  146 

5.1  Representing  logic  with  equality . 147 

5.2  Adding  axioms  to  the  theory  of  constructions . 153 

5.3  Representing  arithmetic . 157 

5.4  Representing  sets  and  functions . 162 

A  LIST  OF  POSTULATES  AND  SYSTEMS  166 

B  SYSTEMS  AND  THEIR  DEFINITIONS  169 


3 


INTRODUCTION 


This  work  is  an  introduction  to  MATHESIS,  the  underlying  mathematical  foun¬ 
dation  for  ROMULUS.  In  ROMULUS  one  proves  that  models,  designs  and  formal 
specifications  of  information  processing  systems  have  security  properties.  For  this 
to  be  meaningful  it  is  essential  that  the  underlying  automated  mathematical  foun¬ 
dation  itself  be  sound.  It  is  a  known  fact  that  various  design  and  program  verifica¬ 
tion  environments  in  widespread  use  within  the  computer  security  community  have 
faulty  logics  and  implementations;  a  knowledgeable  user  of  these  environments  can 
exploit  these  flaws  to  prove  false  facts  about  system.  A  less  malicious  user  could 
inadvertently  exploit  these  flaws  and  also  prove  false  facts  about  systems.  Machine 
certification  of  proofs  is  thus  called  into  question  when  the  certification  mechanisms 
themselves  are  not  appropriately  certified. 

There  are  two  basic  explanations  of  these  flaws.  First,  the  informal  theory 
which  stands  logically  prior  to  the  theorem  prover  has  not  been  adequately  worked 
out.  The  purpose  of  this  document  is  to  work  such  a  theory  for  the  ROMULUS 
mathematical  component.  In  particular,  we  prove  the  formal  consistency  to  this 
theory. 

A  second  source  of  error  occurs  during  implementation.  Many  automated  math¬ 
ematical  components  and  theorem  provers  evolve  incrementally;  new  features  are 
continually  added  to  make  the  theorem  prover  ever  more  powerful.  Also  specific 
algorithms  are  replaced  by  more  efficient  ones.  This  maintenance,  like  most  soft¬ 
ware  maintenance,  is  usually  done  in  an  ad  hoc  manner.  Logical  flaws  have  a  way  of 
slipping  in  during  such  improvements.  Our  approach  to  this  problem  is  to  provide  a 
mathematical  foundation  which  in  principal  is  much  stronger  than  presently  needed. 
The  underlying  logic  is  a  true  mathematical  foundation  in  that  the  usual  mathe¬ 
matical  entities,  viz.  sets,  sequences,  functions,  relations,  etc.,  are  all  definable  in 
terms  of  our  ground  entities.  Future  extensions  of  the  theorem  prover  consist  in 
adding  definitions  to  the  basic  logic.  The  standard  basic  theorems  about  the  new 
entities  (what  are  usually  called  axioms)  are  then  provable  in  the  basic  logic. 

We  thus  have  two  requirements  for  a  mathematical  foundation  for  verification: 
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the  informal  theory  needs  to  be  worked  out  prior  to  implementation;  the  foun¬ 
dational  theory  should  be  strong  enough  to  support  definitional  extensions  which 
will  encompass  a  significant  amount  of  mathematics.  Several  approaches  to  foun¬ 
dations  satisfy  these  requirements.  Our  specific  choice  was  determined  by  several 
further  requirements.  First,  in  order  to  add  confidence  to  the  correctness  of  the 
implementation  it  would  be  desirable  that  the  underlying  foundations  have  as  few 
moving  parts  as  possible;  i.e.  the  number  of  basic  entities,  constructors,  axioms, 
etc.  be  small.  Second,  it  would  be  desirable  for  the  foundation  to  have  computar 
tional  content.  That  is,  within  the  logic  mechanically  decidable  statements  should 
be  distinguishable  from  undecidable  ones  and  when  statements  are  decidable  the 
decision  procedures  encoded  in  their  proofs  should  be  available  as  computer  pro¬ 
grams.  Logicians  with  a  strictly  mathematical  background  have  not  required  this 
distinction;  in  computer  science  it  separates  the  possible  from  the  impossible.  The 
natural  logic  for  such  computable  entities  is  called  constructive  logic.  There  are 
cases  where  classical  logic  differs  from  constructive  logic;  namely  some  classically 
valid  proofs  cannot  be  made  in  constructive  logic.  On  the  other  hand,  there  is  an 
important  sense  in  which  constructive  logic  is  stronger  than  classical  logic  since  the 
latter  can  be  interpreted  in  the  former. 

Since  constructive  logic  is  not  well-known  outside  of  certain  subfields  of  mathe¬ 
matics  and  computer  science,  a  few  words  about  it  may  be  in  order.  If  one  proves  in 
constructive  logic  that  something  exists,  then  one  must  either  give  an  explicit  con¬ 
struction  of  that  thing  or  else  give  a  set  of  directions  for  constructing  it.  It  follows 
from  this  that  although  in  classical  logic  one  is  concerned  only  with  truth  and  not 
how  that  truth  is  established,  in  constructive  logic  one  is  concerned  with  provability 
and  one  takes  nothing  to  be  true  unless  one  actually  has  or  can  obtain  access  to  a 
proof  of  it.  This  requires  the  denial  of  the  law  of  excluded  middle:  A  or  not  A.  For 
if  A  is  a  statement  that  something  exists,  then  A  or  not  A  means  that  either  there  is 
a  set  of  directions  for  constructing  that  thing,  or  else  there  is  a  proof  that  there  can 
be  no  such  set  of  directions;  this  is  clearly  not  true.  This  makes  constructive  logic 
seem  a  bit  strange  to  those  who  are  not  used  to  it.  Since  constructive  logic  was  first 
used  in  mathematics  as  one  reaction  to  the  paradoxes  of  set  theory  and  logic  which 
were  discovered  at  the  turn  of  the  century,  most  examples  of  the  difference  between 
constructive  and  classical  logic  have  generally  been  mathematical  examples.  Such 
examples  can  be  found,  among  other  places,  at  the  beginning  of  [Bee85],  which  also 
has  other  references. 

It  might  be  worthwhile  here  to  look  at  a  nonmat  hematical  example.  The  law  of 
excluded  middle  might  well  lead  a  legislator  to  propose  a  criminal  law  in  which  there 
is  one  penalty  for  a  crime  if  A  is  true  of  the  particular  case  and  a  different  penalty  if 
A  is  false.  In  classical  logic,  one  is  justified  in  concluding  that  if  the  crime  covered 
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by  the  law  is  committed  and  there  is  a  conviction,  then  one  of  the  two  penalties 
would  be  applied.  But  in  practice  this  does  not  follow.  For  suppose  it  turns  out  to 
be  extremely  difficult  for  the  court  system  to  decide  whether  or  not  A  is  true  in  a 
particular  case.  Then  the  case  may  be  appealed  all  the  way  to  the  Supreme  Court, 
a  process  which  can  take  years  (even  more  than  a  decade).  During  this  time,  neither 
penalty  will  be  applied.  And  the  courts  may  wind  up  deciding  that  A  is  so  difficult 
to  decide  that  the  courts  cannot  do  so  constitutionally  (as  they  might,  for  example, 
if  they  conclude  as  a  matter  of  fact  that  trying  to  decide  A  is  so  difficult  that  it  is 
impossible  to  do  so  in  a  way  that  does  not  treat  people  arbitrarily);  in  this  case,  the 
original  law  would  be  unconstitutional,  and  so  no  penalty  would  be  applied  (even 
if  it  were  not  in  dispute  that  the  defendant  had  committed  the  crime).  Here  is  a 
nonmathematical  case  in  which  the  law  of  excluded  middle  can  be  doubted. 

Note  the  relationship  between  the  use  of  constructive  logic  and  the  need  to 
consider  how  a  decision  can  be  made.  Constructive  logic  is  often  thought  of  as 
the  logic  of  what  can  actually  be  done  by  computations  if  there  are  no  limitations 
of  time  and  space,  and  this  makes  it  particularly  appropriate  for  reasoning  about 
computing  in  a  general  setting.  In  fact,  this  connection  is  the  basis  of  Constable’s 
Nuprl  proof  development  system,  in  which  executable  programs  are  generated  by 
proving  mathematical  theorems[C*86]. 

Because  we  are  interested  in  a  proof  system,  we  are  especially  interested  in  re¬ 
ferring  to  proofs.  A  good  system  of  constructive  logic  in  which  proofs  are  mentioned 
explicitly  is  the  theory  of  constructions  of  Coquand  [CoqSS]1.  This  is  a  system  of 
type  assignment  to  A- terms;  the  proofs  are  (roughly)  represented  by  the  terms  and 
the  formulas  by  the  types.  Although  the  rules  of  the  system  are  easy  to  state,  the 
system  is,  in  fact,  the  result  of  a  considerable  evolution  through  a  number  of  other 
systems  of  typed  A-calculus,  and  is  best  understood  in  the  light  of  those  systems. 

For  this  reason  we  shall  not  take  up  the  theory  of  constructions  itself  until  Chap¬ 
ter  4.  In  Chapter  1  we  shall  take  a  look  at  typed  A-calculus.  In  Chapter  2  we  shall 
consider  deductive  systems  which  assign  types  to  A-terms  without  types.  We  shall 
consider  the  basic  system  and  and  several  of  its  generalizations.  These  generaliza¬ 
tions  include  the  second-order  polymorphic  typed  A-calculus2,  Martin-Lof’s  theory 
of  types3,  and  generalized  type  assignment  in  the  style  of  [HS86]  Chapter  16.  The 
theory  of  constructions  is  a  form  of  generalized  type  assignment,  and  so  readers  will 
be  in  a  position  at  the  end  of  Chapter  2  to  proceed  directly  to  the  theory  itself  in 
Chapter  4. 

*See  also  [CH84],  [CH86],  [CH],  [Coq86a],  [Coq86b],  and  [Coq]. 

sThis  system  was  introduced  independently  by  Girard  [Gir71]  and  Reynolds  [Rey74]  and  studied 
extensively  by  a  number  of  people,  including  [FL083], 

*See  [Mar75],  [Mar82],  [Mar84],  Chapter  XI  of  [Bee85],  and  [C*86]. 
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However,  to  fully  appreciate  the  theory  of  constructions,  it  is  desirable  to  con¬ 
sider  both  constructive  logic  and  the  idea  of  interpreting  terms  as  proofs  and  types 
as  formulas.  This  idea,  which  is  often  called  the  Curry-Howard  isomorphism ,  was 
introduced  by  a  number  of  people  independently,  including  [How80],  who  based  the 
idea  on  an  observation  of  Curry  [CF58],  §9E.  We  take  up  this  subject  in  Chapter 
3.  We  begin  in  Sections  3.1-3.2  with  a  simple  calculus  of  constructive  logic  for  im¬ 
plication  formulas,  and  show  its  relation  to  the  simple  system  of  type  assignment. 
We  then  proceed  in  Sections  3.3-3.4  to  extend  the  system  to  the  other  proposi¬ 
tional  connectives,  and  show  that  the  law  of  excluded  middle  fails  in  this  calculus  of 
constructive  logic.  This  is  enough  of  the  chapter  for  a  basic  understanding  of  both 
constructive  logic  and  the  Curry- Howard  isomorphism,  and  many  readers  may  want 
to  proceed  directly  from  the  end  of  section  3.4  to  Chapter  4.  However,  some  readers 
may  want  to  see  a  treatment  of  predicate  logic,  and  in  Sections  3.4  and  3.5,  we 
present  versions  of  (constructive)  first-order  predicate  logic  and  higher-order  pred¬ 
icate  logic  which  illustrate  the  Curry-Howaxd  isomorphism  and  look  toward  one  of 
Coquand’s  motivations  for  creating  the  theory  of  constructions. 

In  Chapter  4,  we  come  to  the  theory  of  constructions  itself.  We  give  its  rules  in 
a  natural  deduction  formulation,  which  is  a  bit  different  from  the  form  in  which  Co- 
quand  gave  them  but  is  more  closely  associated  with  the  systems  of  type  assignment 
mentioned  in  Chapter  2.  We  then  proceed  to  prove  the  main  consistency  theorem 
for  the  system,  the  strong  normalization  theorem.  We  next  show  the  relationship 
between  the  natural  deduction  formulation  given  here  and  the  original  formulation 
of  Coquand. 

Finally,  in  Chapter  5,  we  take  up  the  representation  of  logic  and  mathematics 
in  the  theory  of  constructions.  This  is  clearly  necessary  if  this  theory  is  to  serve  as 
the  mathematical  basis  for  MATHESIS  and  the  rest  of  the  ROMULUS  project.  We 
show  how  to  represent  logic,  both  constructive  and  classical,  natural  numbers,  sets, 
and  functions.  The  representation  of  natural  numbers  includes  a  representation  of 
the  principle  of  mathematical  induction,  and  the  metho< ’  of  doing  this  can  easily  be 
extended  to  other  inductively  defined  free  algebras.  As  an  example  of  this,  we  show 
how  to  represent  lists  (finite  sequences);  this  representation  has  direct  application 
to  the  formulation  of  the  hook-up  security  theory  which  is  used  in  ROMULUS.  The 
material  of  this  chapter  is  all  based  on  the  work  of  Coquand  and  Huet4,  but  in 
addition  to  the  definitions  and  examples  of  the  papers  of  Coquand  and  Huet,  we 
feel  a  need  to  use  the  strong  normalization  theorem  to  give  some  proofs  that  the 
representations  of  logical  and  mathematical  concepts  really  behave  correctly. 


4See  [CH86]  and  [CH]  in  particular. 
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Chapter  1 

TYPED 

LAMBDA-CALCULUS 


The  A-calculus  is  a  fundamental  prototype  for  functional  programming  languages, 
and  the  typed  A-calculus  is  the  natural  typed  version.  Here  we  shall  consider  as 
much  of  the  typed  A-calculus  as  we  will  need  for  the  rest  of  the  work.  A  general 
introduction  to  both  the  A-calculus  and  the  typed  A-calculus  can  be  found  in  Hindley 
&  Seldin  [HS86]. 

Most  of  the  systems  we  will  consider  will  not  have  models  in  the  usual  set- 
theoretic  icnse  of  that  term.  However,  ordinary  typed  A-calculus  does  have  such 
models,  and  so  we  shall  begin  with  them. 
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1.1  Type  symbols  and  type  structures. 

Types  are  used  for  various  kinds  of  data  structures  in  different  programming  lan¬ 
guages.  Here,  we  will  be  concerned  with  certain  particular  compound  type  struc¬ 
tures  which  are  fairly  common.  They  are:  1)  the  function  space  type  a  — ►  /?  of 
functions  with  arguments  in  a  and  values  in  /3,  2)  the  cartesian  product  a  x  /?  of 
two  types  a  and  (3,  and  3)  the  disjoint  sum  a  +  (3  of  two  types  a  and  /?. 

For  some  purposes,  the  only  kind  of  compound  type  we  will  be  interested  in  will 
be  the  function  space  type.  In  other  cases  we  will  be  interested  in  all  three  kinds 
of  compound  types.  This  leads  to  the  two  kinds  of  type  symbols  in  the  following 
definition: 

Definition  1.1  (Ty^  symbol)  Assume  that  we  have  (finitely  or  countably 

many)  atomic  type  symbols  9\,...,9n, _  Then  basic  type  symboh  are  defined 

as  follows: 

(a)  Every  atomic  type  symbol  is  a  type  symbol;  and 

(b)  if  a  and  /3  are  type  symbols,  then  so  is  (a  — ►  /?). 

Extended  type  symbols  are  defined  by  (a)  and: 

(c)  If  a  and  (3  are  type  symbols,  then  so  are  (a  —►  /?),  (a  X  /?)  and  (a  +  (3). 

Remark  It  might  appear  that  the  basic  type  symbols  limit  us  to  functions  of  one 
variable.  This  appearance  is  false,  for  functions  of  several  variables  can  by  reduced 
to  functions  of  one  variable  by  a  process  known  as  currying  (after  H.  B.  Curry,  who 
used  it  extensively;  actually  the  process  was  used  by  others  before  Curry).  To  see 
how  currying  works,  consider  the  example 

h(x,y)  =  x-y. 

Let  h *  be  the  one-place  function  whose  value  h*(a )  at  an  argument  a  is  defined  to 
be  the  function 

f(y)  =  a  —  y  —  h(a,y). 

Then  we  have 

h*{a){y)  -  h(x,y)f 

and  we  have  replaced  our  original  two-place  function  by  a  new  function  of  one 
variable.  Our  notation  will  reflect  the  process  of  currying,  since 


Ql  -*•  C*2  -*•  •  •  •  On-l  -*■  <*n 
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will  be  an  abbreveation  for 


Qi  -*•  (02  -*•  (. . .  (an-i  <*n)  •  •  •))• 

Additional  notation.  In  extended  type  symbols,  unnecessary  parentheses  will  be 
omitted.  The  infixes  x  and  -1-  will  have  a  smaller  scope  than  — 

As  a  semantics  for  these  type  symbols,  we  associate  with  each  type  symbol  a  a 
set  Da\ 

Definition  1.2  (Type  structures)  Assume  that  for  each  atomic  type  9  there  is 
a  set  D$.  Then  we  define  Da  for  each  compound  type  symbol  a  as  follows: 

(a)  Da-*p  is  the  set  of  all  functions  with  arguments  in  Da  and  values  in  Dp; 

(b)  Daxp  is  the  cartesian  product  DaX  Dp  of  Da  and  Dp;  and 

(c)  Da+p  is  the  disjoint  sum  Da+Dp  of  Da  and  Dp. 

A  basic  type  structure  is  then  defined  to  be  the  set 

{Da|a  is  a  basic  type  symbol}. 

An  extended  type  structure  is  defined  to  be  the  set 

{X>a|a  is  an  extended  type  symbol}. 

It  is  usual  in  set  theory  to  take  for  the  cartesian  product  A  x  B  the  set  of 
all  ordered  pairs  (a,  6)  where  a  G  A  and  b  €  B.  This  is  not  strictly  necessary 
here:  all  we  really  need  is  an  operator  dA,B  '•  A  —*  B  -+  A  X  B  and  two  operators 
Ma,b  ’•  Ax  B  A  and  sndA,B  '■  Ax  B  —*  B  such  that  fstAj3(dAjB(a,b))  =  a  and 
sndA,B(dAtB(a,b ))  =  b.  It  is  not  strictly  necessary  that  dA,B(u,&)  be  the  pair  (a, 6), 
but  we  will  usually  think  of  it  that  way,  and  so  we  will  call  it  a  pairing  operator. 
The  operators  and  sndA£  will  be  called  projection  functions.  If  A  and  B  are 

sets  Da  and  Dp  respectively,  then  instead  of  dAjp,  etc.,  we  shall  write  daip,  etc. 

The  disjoint  sum  A  +  B  is  formed  from  A  and  B  by  making  a  copy 
of  each  element  a  e  A  and  a  copy  »nrx,fl(6)  of  each  b  €  B  in  such  a  way  that  each 
A,B(a )  is  distinct  from  each  inrA^(b),  and  then  letting  A  +  B  be  the  union  of  all 
the  copies.  In  other  words, 

A  +  B  =  {inlA^(a)ja  €  A}  U  {inrAiB(b){b  6  B). 

Given  any  element  of  this  disjoint  union,  it  is  possible  to  tell  which  of  the  sets  it 
originally  came  from.  It  follows  that  there  is,  for  any  set  C,  a  function 

cas€Aj),c  .  A  B  — ►  (A  — ►  C)  — ►  ( B  — ►  C )  — ►  C, 
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such  that  if  /  :  A  — *■  C,g  :  B  -*■  C, a  6  A,  and  be  B,  then 

caseA,B,c(inlAMa)if>g )  =  /(“) 


and 

caseAjB,c{inrAjB{b\f,g)  =  5(6). 

As  before,  we  shall  use  the  notation  cosea<0n  etc. 

Often  there  is  an  interest  in  a  type  which  is  empty.  This  type  will  be  called  void, 
and  will,  for  now,  be  taken  as  an  atomic  type.  Dvo y  will  be  the  empty  set. 

In  some  cases,  we  will  want  the  type  N  of  the  natural  numbers.  This  will  also  be 
an  atomic  type,  and  Du  will  simply  be  the  set  of  natural  numbers.  The  successor 
function  will  be  denoted  by  a. 

Note  that  a  type  structure  does  not  include  any  set  of  pairs  in  which  there  are 
pairs  in  which  the  first  elements  are  in  the  same  type  but  the  second  elements  are 
in  different  types.  Thus,  there  is  no  nontrivial  way  in  a  type  structure  to  make  the 
type  of  the  second  element  depend  on  the  first  element  rather  than  on  the  type  of 
the  first  element.  In  particular,  in  a  set  of  pairs  whose  first  elements  are  natural 
numbers,  all  of  the  second  elements  must  be  of  the  same  type.  (Of  course,  sets 
with  pairs  whose  first  elements  have  the  same  type  but  whose  second  elements  have 
different  types  can  be  formed  by  taking  arbitrary  unions,  but  they  are  not  part  of 
a  type  structure  as  defined  by  Definition  1.2.) 
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1.2  The  typed  A-calculus. 

So  far,  we  have  talked  about  structures  consisting  of  sets  and  some  functions  as¬ 
sociated  with  them.  Except  for  these  functions  and  the  natural  numbers,  we  have 
not  talked  about  any  of  the  elements  of  the  sets.  Here,  we  introduce  a  formalism 
of  terms  which  will  represent  these  objects.  The  formalism  we  will  use  is  the  typed 
A-calculus. 

The  basic  idea  behind  the  A-calculus  is  the  A-notation  of  Alonzo  Church.  The 
idea  is  really  simple:  we  are  used  to  saying  that  if  /  represents  the  squaring  function, 
so  that  /(x)  =  x2  then  /( 2)  =  22  =  4.  We  also  sometimes  say  that  this  function  / 
is  given  by  x  i~*  x2.  We  might  well  ask  why  we  do  not  write 

(x  t->  x2)(2)  =  22  =  4. 

The  reason  is  that  in  the  1930s,  Alonzo  Church  proposed  writing 

(Ax.x2)(2)  =  22  =  4.  (1.1) 

This  is  the  basis  of  the  A-calculus. 

In  the  A-calculus,  we  use  complete  currying.  In  this  notation,  the  term  repre¬ 
senting  the  function  A*  of  §1  is 


Ax.A  y.h(x,y). 

Since  we  are  interested  in  terms  representing  objects  in  the  sets  of  type  struc¬ 
tures,  we  are  really  interested  in  the  typed  A-  calculus.  There  are  a  number  of  forms 
of  this  system,  depending  on  which  types  we  are  using.  Let  us  begin  with  the  basic 
type  symbols. 

Definition  1.3  (Basic  typed  A-terms)  Assume  that  we  have  infinitely  many  in¬ 
dividual  term  variables,  where  each  variable  is  assigned  a  type  symbol  in  such  a  way 
that  there  are  an  infinite  number  of  variables  assigned  to  each  type,  and  suppose 
that  x®  indicates  a  variable  of  type  (symbol)  a.  Then  baste  typed  A -terms  are  de¬ 
fined  as  follows: 

(a)  each  typed  variable  x“  is  a  typed  term  of  type  a; 

(b)  if  Ma~*P  and  JV®  are  typed  terms  of  types  a  -+  (3  and  a  respectively,  then 
(M®“^ NaSf  is  a  typed  term  of  type  /3;  and 

(c)  if  x®  is  a  variable  of  type  a  and  is  a  term  of  type  /3,  then  (A xa.M^)a~¥,}  is  a 
term  of  type  a  -*  /?. 

A  term  of  the  form  given  by  (b)  is  called  an  application  term.  A  term  of  the  form 
given  by  (c)  is  called  an  abstraction  term. 
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Notation  Parentheses  will  be  omitted  when  no  confusion  results.  For  compound 
application  terms,  parentheses  will  be  omitted  by  association  to  the  left,  so  that 

J^a  — *  0  — *  1  — ►  S jya ppQ'i 


is  an  abbreviation  for 

(((Ma  —*  P  —*"y  —*  5j Va)0  1  s P0)"1  SQ1)6 

Superscripts  indicating  types  will  sometimes  be  omitted  when  the  type  is  clear  from 
the  context. 

The  notation 

M  =  N 

will  mean  that  UM "  and  “IV”  are  names  for  the  same  term.  This  notation  will  be 
especially  used  in  definitions,  such  as  Definition  1.5  below. 

Examples 

(a)  (Xxa.xa)a  °  represents  the  identity  function  of  type  a. 

(b)  If  F0_n  and  Ga~*0  are  terms  of  types  0  — *■  7  and  a  -*  0  respectively,  then 
A xa.F0~n{Ga~t0xa)  represents  the  composition  of  the  functions  represented  by 
F0~^  and  Ga~*0. 

(c)  Xx0~*^  .\ya~*0  .Xza  .x0~,"1{ya~'0 za),  which  is  a  term  of  type  (0  -*■  7)  (a  —*■  0) 
-*  a-*  7,  represents  the  operation  of  composition  of  functions  of  types  a  -*  0  and 
0-+1- 

(d)  If  Mais  a  term  of  type  a  and  i^is  a  variable  of  type  0  which  does  not  occur 
free  in  Af"(in  the  sense  of  Definition  1.4  below),  then  {Xx0 .Ma)0~*a  represents  a 
constant  function  whose  value  for  each  argument  is  the  object  represented  by  Af°. 

(e)  Xxa .Xy0 .xa ,  which  is  a  term  of  type  a  — ►  0  — ►  7  represents  the  operator  which 
forms  constant  functions  with  arguments  in  0  and  value  in  a. 

Definition  1.4  (Free  and  bound  variables)  An  occurrence  of  a  variable  xa  in 
a  term  M  is  bound  if  it  is  in  a  part  of  M  of  the  form  A xa.N0)  otherwise  it  is  free. 
If  xa  has  at  least  one  free  occurrence  in  M,  it  is  called  a  free  variable  of  M.  The  set 
of  all  free  variables  of  M  is  called  FV(Af).  A  closed  term  is  a  term  without  any  free 
variables. 

If  one  of  the  atomic  types  is  void,  then  by  Definition  1.3  there  will  be  variables 
of  this  type.  However,  it  is  the  intention  that  there  be  no  closed  term  of  type  void. 
A  proof  that  there  is  no  closed  term  of  type  void  is  a  kind  of  consistency  result  for 
typed  A-calculus. 
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Definition  1.5  (Substitution)  For  a  term  M13,  a  variable  xa,  and  another  term 
Na  of  the  same  type  as  the  variable,  the  result  of  substituting  Na  for  xa  in  Af^, 
denoted 

[Na/xa]M0, 

is  the  result  of  substituting  Na  for  each  free  occurrence  of  xa  in  and  changing 
bound  variables  to  avoid  clashes.  The  precise  definition,  by  induction  on  the  struc¬ 
ture  of  M13,  is  as  follows,  where  some  type  superscripts  are  omitted; 

(a)  [Na/xa]xa  =  Na ; 

(b)  [Na/xa]y13  =  yP  for  all  variables  y&  distinct  from  xa; 

(c)  [Na /xa](Fn~* 13 Q^)  =  ([jVa/xa]P7^)([jVa/xa]g7); 

(d)  [lNT“/xa](Axa.P^)  =  Ax^P7; 

(e)  [Na/xa](\yi.Ps)  =  W.[Na/xa]Ps 

if  y1  =£  xa  and  y7§?  FV(lVa)  or  xa£  FV(P5);  and 

(f)  [No/x^Xyi.P6)  =  Az7.[JVa/xa][x7/y7]P5 

if  y7  =£  xa,  y7  e  FV(W“),  x“  €  FV(P5),  and  za  is  the  first  variable  with  the 
same  type  as  y7  in  a  standard  enumeration  of  variables  which  is  not  in  F V(JV°)  or 
F  V(Pfi). 

If  the  type  of  N  differs  from  the  type  of  x,  then  [N/x]M  is  not  defined. 

We  are  now  in  a  position  to  introduce  a  relation  which  corresponds  to  the  process 
of  calculating  values,  as  in  (1.1)  above.  This  relation  is  called  reduction.  The  main 
idea  behind  reduction  is  the  instruction  we  always  give  beginners  for  evaluating 
/(x).  For  example,  if  /(x)  =  x2,  the  instruction  for  evaluating  /( 2)  is  to  replace  x 
by  2,  thus  getting  22  =  4.  This  idea  gives  us  the  essential  relation  between  a  redex 
and  its  contractum  in  the  next  definition. 

Definition  1.6  (Reduction)  A  (one-step)  change  of  bound  variable  consists  of 
the  replacement  of  a  subterm  of  a  term  P7  of  the  form 

A  xa.M0 


by 


\y°.[i Hxa]M^ 

where  y®£  FV(Af^).  A  redex  is  a  term  of  the  form  (A  xa.AT^)lVa;  its  contractum  is 
[Na /xa]M^ .  A  contraction  is  the  replacement  of  a  redex  by  its  contractum  in  a  term 
(where  the  redex  before  the  contraction  and  the  contractum  after  the  contraction 
are  sub  terms  of  the  term  being  contracted).  A  reduction  is  a  (possibly  empty) 
sequence  of  contractions  and  changes  of  bound  variable. 
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If  M  reduces  to  TV,  we  write 

MTV. 

Definition  1.7  (Conversion)  An  expansion  is  the  reverse  of  a  contraction;  i.e., 
M  expands  to  TV  if  and  only  if  TV  contracts  to  M.  A  term  M  is  said  to  convert  to 
TV  if  TV  can  be  obtained  from  M  by  a  (possibly  empty)  sequence  of  contractions, 
expansions,  and  changes  of  bound  variable. 

If  M  converts  to  TV,  we  write 


M  =.  TV. 


Let  us  now  turn  our  attention  to  the  other  type-forming  operators,  x  and  +. 
For  terms  of  type  a  x  yd,  we  need  a  pairing  operator  Da>p  of  type  a  -►/?-*•  a  x  yd. 
We  will  also  want  terms  representing  the  projection  functions:  we  want  fsta,/j  and 
snda>0  of  types  a  x  yd  — ►  a  and  a  x  yd  — ►  yd  respectively  such  that 

fsta,/?( Daj}Ma N& )Ma  and  snd^D^Tlf ' “TV^TV^. 

To  deal  with  terms  of  type  a+  yd,  we  need  terms  inla)/j,  inrawg,  and  casea>pn  of  types 
a-*a  +  yd,  yd-*a  +  yd  and  a  +  yd  -*•  (a  -+  7)  -+  (yd  -+  7)  -*•  7  respectively  such  that 

case^inl^T M° 


and 

case^inr^T 

We  will  also  want  to  have  natural  numbers  represented.  This  can  be  accom¬ 
plished  by  taking  one  of  the  atomic  type  symbols  to  be  N  and  postulating  atomic 
terms  0Nof  type  N,  <rN-*Nof  type  N  — ►  N,  and,  to  represent  primitive  recursive  func¬ 
tions,  Raof  type  a-*(N-*a-»a)  -►  N  -+  a  such  that 

RaAfaTVN^0,-'aONAf“ 

and 

RaAfaTVN->0,-+0'(<rN-"NnN)TVN^a"*0nN(RQM0,TVN^a^°nN), 
where  nN  is  the  term  representing  the  natural  number  n,  that  is,  is  the  term 

<tN-N(<7N-N(...(<tN-N0N)  ..)),  (1.2) 

where  there  are  n  occurrences  of  o,N”*N. 

We  are  now  ready  to  define  extended  typed  A-terms. 
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Definition  1.8  (Extended  typed  A-terms)  Assume  that  one  of  the  atomic 
types  is  N.  Assume  that  we  have  individual  term  variables  as  in  Definition  1.3 
and  .that,  in  addition,  we  have  the  following  atomic  constants  for  any  types  a, 
/3,  and  7:  Da>0  of  type  a  -*  0  -*  a  x  0,  fstaj3  of  type  ax^->a,  snda^  of  type 
a  x  /3  -*  /3,  inla^  of  type  a  -♦  a  +  /3,  inraJ3  of  type  0  -*  a  +  /?,  casea>/3^  of  type 
a  +  0  -*•  (a  -*■  7)  -*•  (/?  — ►  7)  ->  7,  0Nof  type  N,  <rN“*Nof  type  N  -+  N,  and  Ra  of  type 
a  — ►  (N  -*■  a  -*  a)  -*  N  — *  a.  An  atomic  term  is  a  variable  or  an  atomic  constant. 
Extended  typed  terms  are  defined  as  in  Definition  3  except  that  any  atomic  terms 
may  occur  in  (a). 

Definitions  1.4  and  1.5  hold  for  extended  typed  terms  as  well  as  for  basic  typed 
terms.  For  reduction,  we  need  some  new  kinds  of  redexes.  The  redexes  of  Defi¬ 
nition  1.6  are  called  (3- redexes  to  distinguish  them  from  the  other  redexes  needed 
here.  (On  the  significance  of  this  name,  see  Hindley  &  Seldin  [HS86]  Chapter  7) 

Definition  1.0  (Reduction)  Reduction  is  defined  as  in  Definition  1.6  except  that 
in  addition  to  /?- redexes  we  now  have  the  following  additional  redexes  (given  with 
their  contracta): 


Redex 

Contractum 

(fst) 

tea#{Pa,pMa  N0) 

Ma 

(snd) 

snda^(D  aj)M°N0) 

N0 

(casei) 

casea,^(inl aJ,Ma)fa-ig0-~’ 

fa~nMa 

(case2) 

caseo,0,-,(in  rat0N0)fa-^  g0^ 

(Ri) 

RaMa  NN~*a~*aQN 

Ma 

(R3) 

RQMa  NN~*a~*a(oN~*N  nN ) 

nN  ( RaMaNti~*a~¥0‘nti ) 

where  nNis  the  term  given  in  (1.2)  above. 
Definition  1.7  now  holds  as  before. 
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sectionThe  basic  theory  of  typed  A-calculus 

Let  us  begin  with  the  theory  of  basic  typed  A-terms  of  Definition  1.3. 

Lemma  1.1  (Replacement)  If  an  occurrence  of  a  typed  term  Pa  in  a  typed  term 
M13  is  replaced  by  another  term  with  type  a,  then  the  result  is  a  typed  term  of  type 
0-  ' 

Proof  By  induction  on  the  structure  of  ■ 

Theorem  1.1  (Invariance  of  reduction)  If  MaN ,  then  N  has  type  a. 

Proof  By  Lemma  1.1,  it  is  sufficient  to  prove  that  types  are  preserved  by  changes 
of  bound  variable  and  that  a  contractual  has  the  same  type  as  its  redex.  This  will 
follow  in  both  cases  from  the  fact  that  [Na  fxa]M^  is  a  term  of  type  /3,  and  this 
latter  fact  can  be  seen  by  applying  Lemma  1.1  to  the  cases  of  Definitionl.5.  ■ 

We  noted  in  Section  1.2  above  that  reduction  corresponds  to  the  process  of 
evaluating  the  result  of  applying  a  function  to  an  argument.  Since  there  are  many 
well-known  calculations  that  never  come  to  an  end,  we  might  expect  to  find  typed 
A-terms  that  can  begin  reductions  continuing  forever.  In  a  trivial  sense,  most  typed 
A-terms  begin  such  a  reduction,  since  bound  variables  can  be  changed  whenever  they 
occur.  But  changing  bound  variables  does  not  really  correspond  to  a  calculation 
step;  what  we  really  want  to  know  is  whether  there  is  a  typed  terms  with  the 
property  that  every  term  to  which  it  reduces  contains  an  occurrence  of  a  redex.  It 
turns  out  that  the  answer  is  no. 

Definition  1.10  (Normal  form)  A  term  is  said  to  be  in  normal  form  if  there  is 
no  occurrence  of  a  redex  in  it.  If  Ma  N°,  where  Na  is  in  normal  form,  then  Na  is 
said  to  be  a  normal  form  of  Ma. 

Theorem  1.2  (Normal  form  theorem)  Every  basic  typed  term  has  a  normal 
form;  i.e.,  every  basic  typed  term  can  be  reduced  to  a  term  in  normal  form. 

Proof  Define  the  degree  of  a  type-symbol  to  be  the  number  of  occurrences  of  the 
symbol  -*  in  it,  and  define  the  degree  of  a  redex  (A xa.M0)Na  to  be  the  degree  of 
the  type  a  — ►  /3  of  the  abstraction  part  of  the  redex.  The  proof  is  by  an  induction  on 
the  pair  (d,n),  where  d  is  the  maximum  degree  of  any  redex  in  the  given  term  and 
n  is  the  number  of  occurrences  in  the  term  of  redexes  with  degree  d.  The  pairs  are 
ordered  by  specifying  that  (d,n)  <  (df,n')  if  and  only  if  either  d  <  d!  or  else  d  —  d! 
and  n  <  n1.  Since  changing  bound  variables  does  not  change  the  pair  associated 
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with  a  given  term,  it  is  sufficient  to  concentrate  on  the  contraction  of  redexes.  At 
each  stage  a  redex  (A xa.M^)Na  is  chosen  which  has  degree  d  and  is  such  there  is 
no  occurrence  in  Na  of  a  redex  of  degree  d.  The  only  redexes  of  degree  d  in  the 
contractum  [Na  j xa]M@  are  substitution  instances  of  those  occurring  in  M®\  hence, 
if  the  pair  associated  with  the  original  term  is  (d,n),  then  the  pair  associated  with 
the  term  obtained  by  carrying  out  the  contraction  is  (d,  n  —  1}  if  n  >  1  and  is  (d1,  m) 
for  dl  <  d  if  n  =  1.  (Note  that  »  can  never  be  0.)  Hence,  each  such  contraction 
leads  to  a  new  term  with  a  pair  lower  in  the  ordering  than  the  original  term,  and 
since  the  pairs  under  this  ordering  are  well  founded,  it  follows  that  the  reduction 
process  must  terminate  in  a  term  in  normal  form.  ■ 

Corollary  1.2.1  There  is  no  closed  basic  typed  A  -term  in  normal  form  with  an 
atomic  type. 

Proof  Let  Pe  be  a  closed  term  in  normal  form  of  type  9 ,  where  9  is  an  atomic  type. 
Then  P6  is  not  a  variable,  and  since  9  is  atomic,  it  is  not  an  abstraction  term.  It 
follows  that  P8  is  an  application  term.  Suppose  it  has  the  form  PqP\.  . .  Pm,  where 
Pq  is  not  an  application  term  and  type  superscripts  are  omitted  for  convenience. 
(Every  application  term  can  be  written  in  this  form.)  If  Po  were  an  abstraction 
term,  then  P8  would  not  be  in  normal  form.  It  follows  that  Po  is  a  variable,  and 
hence  P6  is  not  a  closed  term,  contrary  to  hypothesis.  ■ 

This  corollary  shows  that  the  normalization  theorem  gives  us  a  kind  of  consis¬ 
tency  result.  For  if  void  is  one  of  the  atomic  types,  then  it  shows  that  there  is  no 
closed  term  in  normal  form  of  type  void.  Since,  as  can  be  easily  proved,  reduction 
never  introduces  any  new  free  variables  into  a  term,  it  follows  that  there  is  no  closed 
term  in  any  atomic  type,  and  hence  there  is  none  in  void. 

There  is  no  problem  about  extending  Lemma  1.1  and  Theorem  1.1  to  extended 
typed  terms.  Furthermore,  Theorem  1.2  can  be  extended  to  extended  typed  terms 
involving  (fst),  (snd),  (case*),  (case?),  and  (Ri)  redexes.  But  as  soon  as  (R2)  redexes 
are  allowed,  there  is  a  problem,  for  it  is  possible  to  have  a  subterm  of  the  form 
R aMa Nti~*a~*a  PN  which  is  not  a  redex  but  which  becomes  a  redex  after  contractions 
are  carried  out  in  PN  on  redexes  of  lower  degree.  However,  there  is  an  alternative 
method  of  proof,  which  is  more  complicated,  which  proves  Theorem  1.1  for  extended 
typed  terms  with  (R2)  redexes.  In  fact,  this  stronger  method  of  proof  actually  proves 
a  stronger  result  for  both  the  basic  and  extended  systems. 

Theorem  1.3  (Strong  normalization  theorem)  Every  sequence  of  contrac¬ 
tions  starting  with  a  typed  \-term  terminates  in  a  term  in  normal  form. 
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For  the  proof,  see  Hindley  &  Seldin  [HS86]  Appendix  2. 

Corollary  1.2.1  is  dearly  not  true  in  the  extended  system  with  terms  for  the 
natural  numbers,  since  0N  is  a  dosed  term  in  normal  form  with  atomic  type  N. 
However,  it  is  possible  to  prove  that  there  is  no  dosed  term  in  void.  The  proof 
begins  like  the  proof  of  Corollary  1.2.1,  but  becomes  more  complicated  at  the  point 
of  analyzing  -Po,  for  now  Pq  might  be  an  atomic  constant,  and  we  need  a  case  for  each 
one.  For  example,  we  have  to  consider  the  possibility  that  it  is  fsta^j.  Furthermore, 
P\  has  type  a  x  j3.  Since  P\  is  in  normal  form  and  is  closed,  it  must  be  of  the 
form  DatpMa  N@ ,  contradicting  the  assumption  that  Pe  is  in  normal  form.  Similar 
arguments  work  for  the  other  atomic  constants.  This  proves: 

Corollary  1.3.1  If  one  of  the  atomic  types  is  void,  then  there  is  no  closed  term  of 
type  void. 

We  can  also  obtain  a  result  concerning  type  N. 

Corollary  1.3.2  Every  closed  term  of  type  N  reduces  to  a  numeral;  i.e.,  to  a  term 
of  the  form 

aN-N(<rN-N(  ...(^NqN)  ))# 

Proof  Given  a  dosed  term  of  type  N,  let  PN  be  its  normal  form.  The  proof  is 
by  induction  on  the  structure  of  the  term  PH.  Follow  the  proof  of  Corollary  1.3.1 
through  the  analysis  of  Po]  there  are  now  additional  cases  in  which  it  may  be  0N, 
<rN~*N,  or  R0.  If  it  is  0N,  we  are  done.  Otherwise,  the  second  or  third  argument  must 
be  a  numeral  by  the  induction  hypothesis,  and  so  we  either  have  another  numeral 
or  an  (R)  redex.  ■ 

We  would  now  like  to  prove  that  the  type  structures  introduced  in  section  1 
form  a  model  of  the  extended  typed  A-  terms. 

Definition  1.11  (Valuation)  A  valuation  for  a  given  type  structure  is  a  function 
which  assigns  to  each  variable  xaof  type  a  an  element  p(xa)  of  Da.  If  p  is  a 
valuation,  then  [d/xa]p,  where  d  £  Da,  is  the  valuation  t  with  the  property  that 
r(xa)  =  d  and,  for  each  variable  ^distinct  from  x°,  r(j^)  =  p(y 0). 

Definition  1.12  (Assignment)  For  each  valuation  p  and  for  each  extended  typed 
A- term  M,  an  object  \M\P,  called  the  assignment  of  M  determined  by  the  valuation 
pi  or,  when  no  confusion  results,  the  assignment  of  M ,  is  defined  as  follows,  where 
the  notation  \M |  is  used  when  no  confusion  results: 
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(a)  |Dai/Jj  is  the  function  which,  given  d\  6  Da  and  da  e  Dp  as  arguments,  returns 
the  value  da,/?(di,d2); 

(b)  |fcta^|  =  fst^  :  Dax(}  -*•  Da ; 

(c)  |sndat^|  =  sndaj3  :  Dax0  -*■  Dp\ 

(d)  |inl0i/3|  =  iniai/3 :  Da  -*•  £>a+/J; 

(e)  linr^l  =  inr^o  :  Da  Da+p\ 

(f)  |caseaJji7|  =  easeatj3n  :  Da+p  —*  Da— ^  —*  Dp-**,  —*  D^\ 

(g)  |0N|  =  0; 

(h)  |<rN“*N|  =  a; 

(i)  |Ra|  is  the  function  which,  given  an  element  d  6  Da  and  a  function  h  : 
Du  -+  Da  -*  Da,  returns  as  a  value  the  function  f  :  Du  —>  Da  with  the  property 
that  /( 0)  =  d  and  /(n  +  1)  =  h(n,  /(n)); 

(j)  \Ma~*^Na\  —  |Ma->^|(|iV0,|)  if  this  makes  sense  (i.e.,  if  [Af 0r— |  is  a  function 
and  |JV“|  is  an  object  in  its  domain); 

(k)  lAx^AT^Ip  is  the  function  /  :Da  — ►  jD^which,  for  each  element  d  6  Da,  returns 
IM^It,  where  r  is  [d/xa]p. 

Theorem  1.4  For  each  extended  typed  X-term  Ma  of  type  a,  and  for  each  valuation 
p,  \Ma\  e  Da.  Furthermore ,  if  Ma  =„  Na,  then  \Ma\  =  \Na\. 

Proof  The  first  part  is  proved  by  induction  on  the  structure  of  Af“.  The  second 
part  is  proved  by  showing  that  assignment  is  invariant  of  changes  of  bound  variable 
and  that  the  assignment  of  any  redex  is  equal  to  that  of  its  contractual;  this  follows 
from  Definition  1.12.  ■ 


I 
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1.3  The  Church- Rosser  theorem  and  pure  A-calculus. 

As  we  have  seen,  every  reduction  sequence  starting  with  a  typed  A-term  terminates 
in  a  normal  form.  But  we  might  well  wonder  if  different  reduction  sequences- termi¬ 
nate  in  different  normal  forms.  In  a  trivial  sense  they  do,  since  a  change  of  bound 
variable  applied  to  a  normal  form  leads  to  a  distinct  normal  form.  But  normal  forms 
which  differ  only  in  their  bound  variables  are  really  essentially  the  same.  What  we 
would  like  to  know  is  whether  or  not  there  are  any  typed  terms  which  have  two  or 
more  truly  distinct  normal  forms.  The  answer  turns  out  to  be  no:  all  normal  forms 
of  a  given  typed  A-term  differ  by  only  changes  of  bound  variables.  This  result  is  a 
consequence  of  a  theorem  due  originally  to  Church  &  Rosser  [CR36]. 

Theorem  1.5  (Church- Rosser  Theorem)  If  M,  N,  and  P  are  typed  terms  such 
that  PM  and  PN ,  then  there  is  a  term  Q  such  that  MQ  and  NQ. 

All  known  proofs  of  this  theorem  are  too  long  and  complicated  to  be  given  here. 
The  most  readable  proof  is  probably  that  of  Rosser  [Ros84]  pp.  342-343.  What  is 
perhaps  most  interesting  about  this  proof  (and  almost  all  other  published  proofs) 
is  that  it  makes  no  reference  to  the  type  structure;  it  remains  valid  if  all  of  the  type 
superscripts  are  deleted.  In  fact,  the  theorem  is  not  really  as  much  a  theorem  about 
the  typed  A-calculus  as  it  is  a  theorem  about  the  X- calculus.  This  makes  it  worth 
taking  a  brief  look  at  the  pure  X-calculus. 

Definition  1.13  (Pure  A-terms)  Assume  that  we  have  infinitely  many  variables 
and  perhaps  some  constants.  Then  the  (pure)  X-terms  are  defined  as  follows: 

(a)  Variables  and  constants  are  A-terms; 

(b)  If  M  and  N  are  A-terms,  then  ( MN )  is  a  A-term;  and 

(c)  If  x  is  a  variable  and  M  is  a  A-term,  then  (A x.M)  is  a  A-term. 

Free  and  bound  variables,  substitution,  reduction,  and  conversion  are  defined 
much  as  for  typed  A-terms;  the  main  difference  is  that  typechecking  is  not  needed 
in  substitution  or  in  forming  application  terms.  Clearly,  any  typed  A-term  can  be 
transformed  into  a  pure  A-term  by  deleting  the  type  superscripts.  On  the  other 
hand,  there  are  pure  A-terms  to  which  no  typed  A-  terms  correspond.  For  example, 
the  term 

Xx.xx 

does  not  correspond  to  any  typed  term,  since  there  is  no  typed  variable  xa  with  a 
type  a  that  permits  the  formation  of  x°‘xa‘.  Furthermore,  the  term 

(Ax.xx)(Ax.xx) 


21 


contracts  to  itself,  and  so  clearly  has  no  normal  form.  The  term 

(Ax.xxx)(Ax.xxx) 

contracts  to 

(Ax.xxx)(Ax.xxx)(Ax.xxx), 

and  so  clearly  has  no  normal  form.  These  last  two  terms  represent  computations 
that  do  not  terminate;  the  first  one  represents  an  infinite  loop,  and  the  second 
represents  an  expanding  infinite  loop.  Nonterminating  computations  cannot  be 
represented  by  typed  terms. 

The  pure  A-calculus  differs  from  the  typed  A-calculus  in  another  respect.  The 
typed  A-terms  have  type  structures  as  models.  But  the  pure  A-calculus  does  not 
have  such  simple  models  in  terms  of  set  theory.  The  reason  for  this  is  that  in  the 
pure  A-calculus,  any  term  can  be  applied  to  itself:  if  M  is  a  term,  then  so  is  (MM). 
But  the  standard  axioms  of  set  theory  prevent  a  set-theoretic  function  (in  the  usual 
sense  of  a  set  of  ordered  pairs)  from  being  applied  to  itself.  The  typechecking 
required  for  the  formation  of  typed  application  terms  is  a  sufficient  restriction  to 
ensure  that  the  terms  can  be  modelled  as  functions  in  the  ordinary  set-theoretic 
sense. 
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Chapter  2 


EXTENSIONS  OF  TYPED 
LAMBDA-CALCULUS 


Although  the  typed  A-calculus,  which  we  saw  in  Chapter  1,  is  in  an  important 
sense  the  basis  of  the  theory  of  constructions,  the  theory  of  constructions  is  not 
exactly  a  form  of  typed  A-calculus;  it  is  actually  a  form  of  deductive  system  for 
assigning  types  to  A-terms.  There  are  a  number  of  such  deductive  systems,  and  we 
will  look  at  a  several  of  them  in  this  chapter.  The  ones  at  which  we  will  look  will 
approximate  a  sequence  of  systems  leading  from  the  weakest,  basic  type  assignment, 
to  the  strongest,  which  is  the  theory  of  constructions  itself. 

We  begin  with  a  basic  system  of  type  assignment,  TA,  which  is  equivalent  to 
the  ordinary  typed  A-calculus.  This  system  is  much  weaker  than  the  theory  of 
constructions,  but  its  theory  illustrates  very  well  what  we  will  want  later  for  the 
theory  of  constructions  itself.  This  system  and  its  theory  are  considered  in  the  first 
two  sections.  We  then  proceed,  in  the  next  two  sections,  to  consider  the  second 
order  polymorhpic  typed  A-calculus,  which  is  one  of  the  best  known  generalizations 
of  ordinary  type  assignment  and  is  of  considerable  interest  to  computer  scientists 
in  connection  with  polymorphism  in  programming  languages.  We  will  see  some  of 
the  strength  of  this  system. 

The  theory  of  constructions  is  a  form  of  what  is  usually  called  generalized  type 
assignment ,  which  we  will  consider  in  the  last  four  sections  of  the  chaper.  We  begin 
first  with  a  general  description  of  the  sort  of  generalization  that  is  involved  (Section 
2.5),  and  we  then  see  (Section  2.6)  why  systems  of  this  sort  require  conversion  on 
the  types.  We  look  at  the  basic  system  of  generalized  type  assignment  in  Section 
2.7,  and  we  see  that  it  is,  in  a  sense,  a  conservative  extension  of  ordinary  type 
assignment.  Finally,  in  Section  2.8,  we  look  at  some  stronger  systems  that  point 
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the  way  to  the  theory  of  constructions;  the  most  important  of  these  is  the  universal 
fragment  of  the  type  theory  of  Martin- Lof,  but,  as  we  shall  see,  this  system  is  not 
even  strong  enough  to  interpret  the  second  order  polymorphic  typed  A-calculus, 
and  we  look  at  how  the  former  sysem  would  have  to  be  strengthened  to  interpret 
the  latter.  We  end  with  some  limitations  on  the  system  which  results  from  this 
strengthening  and  which  are  overcome  in  the  theory  of  constructions  itself. 

It  is  worth  mentioning  that  it  is  desirable  to  interpret  the  second  order  poly¬ 
morphic  typed  A-calculus  in  systems  of  generalized  type  assignment  because  of  the 
strength  of  the  former,  which  we  will  see  in  Section  2.4,  and  the  fact  that  we  have 
a  method  for  proving  the  consistency  of  the  latter.  In  general,  when  we  have  a  sys¬ 
tem  which  can  be  proved  consistent  and  in  which  we  can  interpret  other  systems, 
the  latter  systems  are  shown  to  be  consistent.  As  we  shall  see  in  Chapter  5,  the 
consistency  proof  for  the  theory  of  constructions  leads  to  consistency  results  for  the 
interpretations  of  a  number  of  useful  theories  from  mathematics  and  logic. 
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2.1  Type  assignment 

In  the  typed  A-calculus  as  defined  above,  terms  without  types  cannot  be  formed. 
But  in  most  programming  languages  with  type  discipline,  types  play  a  different 
role:  instead  of  preventing  terms  from  being  formed,  they  pick  out  of  a  set  of  terms 
that  already  exist  those  terms  that  are  acceptable  to  a  programming  context  (such 
as  a  compiler).  The  terms  exist  independently  of  the  types,  and  the  relationship 
between  the  types  and  the  terms  is  established  by  a  process  of  assigning  types  to 
terms. 

It  turns  out  to  be  easy  to  apply  this  approach  to  the  A-calculus.  We  need  only 
assume  that  we  are  dealing  with  the  pure  A-terms  of  Definition  1.13  and  give  a 
systemmatic  procedure  for  assigning  types  to  them. 

This  procedure  will  take  the  form  of  a  deductive  theory  or  system.  The  formulas 
of  the  system  will  all  have  the  form 


M :  a, 

where  M  is  a  term  and  a  is  a  type.  The  axioms  will  be  formulas  assigning  types  to 
the  atomic  constants  if  there  are  any.  (For  the  moment,  let  us  make  things  simpler 
by  assuming  that  there  are  no  atomic  constants.)  We  also  need  to  assign  types  to 
the  variables.  In  the  definition  of  basic  typed  terms  (Definition  1.3),  we  postulated 
that  each  variable  came  with  a  type.  Here,  we  do  not  postulate  this.  Instead,  we 
will  postulate  that  in  any  particular  assignment,  types  are  assigned  to  the  variables 
by  assumption.  In  general,  T  will  be  a  set  of  such  assumptions;  i.e.,  T  will  be  a  set 
of  formulas  of  the  form 


®1  •  ®1»  ®2  •  ®2>  •  •  • »  *n  • 

where  X\,  12  ,. . . ,  *n  are  distinct  variables  and  c*i,  «2>  •  •  • ,  <*»  are  types.  Thus,  in 
general,  an  assignment  of  a  type  to  a  term  is  a  deduction  whose  assumptions  assign 
types  to  the  free  variables  in  the  term.  The  statement  that  M  :  a  can  be  deduced 
from  a  set  of  assumptions  T  will  be  written 

T  H  M  :  a. 

If  we  look  at  the  definition  of  pure  A-terms,  we  will  see  that  we  have  taken  care 
of  assigning  types  to  the  atomic  terms  (constants  and  variables).  To  assign  types  to 
compound  terms,  we  need  rules.  These  rules  will  have  to  correspond  to  the  clauses 
assigning  types  to  application  terms  and  abstraction  terms  in  the  definition  of  basic 
typed  A-terms,  Definition  1.3.  They  are  as  follows: 

(-►  e)  If  T  h  M  :  a  -+  P  and  T  I-  N  :  a,  then  T  I-  (MN) :  /?. 
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(-♦  i)  If  T,  x  :  a  M  :  P,  where  z  does  not  occur  free  in  T,  then 
T  P  A x.M  :a-+  (5. 

Note  in  the  case  of  (— ►  i),  the  conclusion  of  the  rule  does  not  depend  on  the 
assumption  x  :  a,  whereas  the  premise  does.  We  say  that  the  assumption  is  dis¬ 
charged  by  the  rule.  This  notion  of  discharging  an  assumption  is  quite  common  in 
natural  deduction  formulations  of  systems  of  logic,  which  were  introduced  originally 
by  Jaskowski  [Jas34]  and  Gentzen  [Gen34]  and  were  extensively  studied  by  Prawitz 
[Prai65]  .  In  these  systems,  the  above  rules  would  usually  be  written  as  follows: 

[x:a] 

(— ►  e)  M  :  a  — ►  (3  N  :  a  (— ►  i)  M  :  (3 

MN  :  P  A x.M  :  a  -*  (3, 

where  in  (— » i),  z  does  not  occur  free  in  any  undischarged  assumption,  and  where 
the  square  brackets  indicate  the  discharging  of  the  assumption  x  :  a  by  the  rule. 

Writing  the  rules  this  way  is  associated  with  writing  deductions  as  trees,  as  the 
following  examples  indicate: 

Example  2.1  Az.z  :  a  -♦  a  for  each  type  a. 

Proof 

1 

[z  :  a] 

- -  (-i-1) 

Az.z  :  a  — ►  a 


Here  the  brackets  indicate  the  discharged  assumption,  and  the  number  Ml”  is  used 
to  indicate  the  location  of  the  discharge.  The  importance  of  keeping  track  of  the 
places  at  which  assumptions  are  discharged  is  shown  in  the  following  example: 

Example  2.2  For  any  types  a,  0,  and  7,  we  have 

Az.Ay.A z.zz(yz)  :  (a  -*  0 7)  -*■  (a  -+/?)-►  a  ->  7. 
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Proof 


3  1 

[x  :  a  — ►  /3  —►  7]  [;:a] 

xz  :  /?  -►  7 


(->•) 


2  1 
[y  :  a  -♦  /?]  [z  :  a] 

yz:0 


xz(yz) : 7 


(-  e) 
(-•) 


A z.xz(yz) :  a  -*•  7 


(—1-1) 


Ay.Az.xz(yz) :  (a  -► /?)  -*•  a  -*■ 7 


(  —  i  -  2) 


Ax.Ay.Az.xz(yz) :  (0  — /? 7)  — *■ (a  — *•  /?)  — >  a  — *•  7. 


(  — i-3) 


It  is  important  to  note  that  an  assumption  which  is  discharged  need  not  actually 
be  used.  Consider  the  following  example: 

Example  2.3  For  any  types  a  and  /?,  Xx.Xy.x  :  a  -*■  fi  -*■  a  . 

Proof 

1 

[x  :a] 

- - - -  (  —  i  -  v) 

Xy.x  :  p  -*  a 

-  (-i-1) 

Xx.Xy.x  :  a  — ►  /3  — *•  a 


Here,  the  assumption  discharged  at  the  first  step  is  y :  /3,  which  does  not  actually 
appear  in  the  deduction.  The  v”  indicates  this  fact. 

This  method  of  writing  deductions  and  proofs  is  common  in  logic  and  is  ap¬ 
propriate  for  theoretical  purposes,  as  we  shall  see.  But  many  non-logicians  may 
be  uncomfortable  with  writing  deductions  as  trees.  An  alternative  is  to  write  the 
deductions  as  tables.  The  three  examples  given  above  can  be  written  as  follows: 


27 


Formula 


Rule 


Assumptions 


Example  2.1' 

1. 

x  :  a 

Hyp 

1 

2. 

Xx.x  :  a  — ►  a 

l(-i) 

Example  2.2' 

1. 

x  :a-+  (3-*  7 

Hyp 

1 

2. 

y:a-+f3 

Hyp 

2 

3. 

z :  a 

Hyp 

3 

4. 

xz  :  (3  -*•  7 

1,3  (-  e) 

1,3 

5. 

yz:  (3 

2,3  (-*  e) 

2,3 

6. 

xz(yz) :  7 

4,5  (-  e) 

1,2,3 

7. 

Xz.xz(yz)  :  a  -+  7 

6  (—►  i) 

1,2 

8. 

Xy.Xz.xz(yz)  :  (a  ->  J3) -+  a -*  7 

7(-i) 

1 

9. 

Xx.Xy.X z.xz(yz) : 

8  (-*■  i) 

(a  — ♦  /3  —  7)  — ►  (a  —  /3)  — ♦  a  — ►  7 

Example  2.3' 

1. 

x  :  a 

Hyp 

1 

2. 

Xy.x  :  (3  -*  a 

1(-  0 

1 

3. 

Xx.Xy.x  :  a  — ►  (3  —*  a 

2  Hi) 

Note  that  here  the  discharge  of  an  assumption  is  indicated  by  the  removal  of  its 
number  from  the  last  column,  and  that  if  (— ►  i)  is  used  without  a  change  in  the  last 
column,  then  the  discharge  is  vacuous. 

One  feature  of  this  kind  of  system  is  that  these  proofs  can  all  be  obtained  by 
working  backwards.  Let  us  see  this  for  each  of  the  three  examples: 

Example  2.1"  We  want  to  prove 


H  Ax.x  :  a  — ►  a. 

The  only  rule  of  which  this  can  be  the  conclusion  is  ( — ►  i),  and  the  premise  must  be 

x  :a  x  :  a. 
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But  this  is  a  trivial  deduction  consisting  of  an  assumption 


Example  2.2"  We  want  to  prove 

I-  Xx.Xy.X z.xz(yz) :  (a  — *■  p  — *■  7)  — ►  (a  — *  P)  — »  a  — ►  7. 

This  must  be  the  conclusion  of  (— ►  i),  and  the  premise  must  be 

x  :  a  — *  (3  —>  7  h  Xy.Xz.xz(yz) :  (a  — ►  P)  — ►  a  -*  7. 

This  must  also  be  the  conclusion  of  (— ►  i)  with  the  premise 

x  :  a-*  (3— >7,  y :  a-*  P  I-  Xy.Xz.xz(yz)  :  a  -*■  7. 

This  must  also  be  the  conclusion  of  (— ►  i),  and  the  premise  must  be 
x  :  a  — ►  /3  7,  y  :a-*  J3,  z  :  a  h  xz(yz )  :  7. 

Now  this  must  be  the  conclusion  of  (-*  e),  and  the  premises  must  be 

x  :  a  -►  7,  y  :a-+P,  z:a  h  xz  :  d  -*•  7  (2.1) 

and 

x  :  a  -+p  -*  7,  y  :  a  -+  p,  z  :  a  h  yz  :  6  (2.2) 

for  some  type  6.  Now  each  of  these  must  also  be  the  conclusion  of  an  inference  by 
(-*■  e).  The  premises  for  (2.1)  must  be 

x  :  a  -*  p  ->  y  :  a  -+  0,  z  :  a  h  x  :  e  -*•$-+  7 

and 

x  :  a  -»/?-►  7,  y  :a->  P,  z  :a  I-  z :  e 

for  some  type  e,  and  it  is  clear  that  these  deductions  are  trivial  if  6  is  P  and  €  is  a. 
Then  (2.2)  must  be 

x:a^P-*7,y:a-*P,  z  :  a  H  yz  :  P, 
and  its  premises  must  be 


and 


x  :  a  -♦/?-►  7,  y.a^p,  z  :  a  l-  y:(->P 
x  :a-+  P-*i,  y  :  a  — ►  /?,  z  :  a  I-  z:(. 
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These  two  deductions  also  become  trivial  if  £  is  a.  ■ 

Example  2.3"  We  need  to  prove 

h  Xx.Xy.x 

This  must  be  the  conclusion  of  an  inference  by  (— ►  i),  and  the  premise  must  be 

x  :  a  H  Xy.x  :  (3  -►  a. 

This  must  also  be  the  conclusion  of  an  inference  by  (-*■  i),  and  the  premise  must  be 

x  :  a,  y  :  /3  h  x  :  a, 


which  is  a  trivial  deduction.  ■ 

This  style  of  finding  deductions  is  called  the  refinement  style ,  and  is  close  to  the 
usual  method  of  implementing  on  a  computer  procedures  for  constructing  proofs  in 
this  kind  of  system. 

Let  us  give  this  system  a  name.  Note  that  for  technical  reasons,  we  need  one 
additional  rule  which  has  not  been  needed  in  the  above  examples. 

Definition  2.1  (The  type-assignment  system  TA)  The  system  TA  is  a  nat¬ 
ural  deduction  system.  Its  formulas,  called  type-  assignment  formulas,  are  the 
expressions  of  the  form 

M  :  a, 

where  M  is  a  pure  term  and  a  is  a  (basic)  type  symbol.  There  are  no  axioms.  The 
rules  are  as  follows: 


Condition:  x  :  a  is  the 
only  undischarged  as¬ 
sumption  in  which  x  oc¬ 
curs  free. 


(— *  e)  M  :  a  — ►  fi  N  :  a 

MN :  (5 

i)  [**•«] 

M:/3 

Xx.M  :  a  — ►  f5 
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(—<*)  M:0 

N:/3 


Condition:  N 

is  obtained  from  M  by 
change  of  bound  vari¬ 
ables  and  M  :  0  is  not 
the  conclusion  of  a  rule. 


Note  that  rule  (=a)  cannot  occur  in  a  deduction  if  all  assumptions  are  of  the  form 
x  :  a,  where  x  is  a  variable.  The  rule  is  included  to  allow  assumptions  of  other  forms 
and  because  we  will  need  it  in  systems  we  will  take  up  later. 

There  are  several  things  to  note  about  this  system.  The  first  is  that  deductions 
invariably  follow  the  construction  of  the  term  to  which  a  type  is  assigned  by  the 
conclusion.  This  fact,  which  is  easy  to  see,  is  difficult  to  write  out  as  a  formal 
theorem.  It  is  known  as  the  subject-construction  theorem ;  see  Curry,  Hindley  & 
Seldin  [CHS72]  Theorem  14D1,  p.  310.  (The  name  comes  horn  the  fact  that  the 
term  M  in  a  formula  M  :  a  is  called  the  subject  of  the  formula.)  Nevertheless,  it 
should  be  obvious  from  the  above  examples.  One  result  of  this  theorem  is  that  it 
is  fairly  easy  to  determine  the  type  of  any  bound  variable.  Another  is  that  it  is 
decidable  whether  or  not  a  given  term  has  a  type.  See  the  discussion  in  Hindley  & 
Seldin  [HS86]  Chapter  15. 

By  using  the  subject- construction  theorem,  we  can  obtain  results  for  deductions 
in  TA  corresponding  to  the  results  of  Section  1.3  above  for  basic  terms.  First,  we 
need  to  define  a  basis  as  a  set  of  assumptions  of  the  form 

M\  :  Q!j, . . . ,  Mn  !  otn. 

A  variables-only  basis  is  a  basis  in  which  each  Mi  is  a  variable.  Then,  we  have  the 
following  analogue  of  Lemma  1.1: 

Lemma  2.1  (Replacement)  Let  Ti  be  any  basis,  and  let  V  be  a  deduction  giving 

Ti  I~ta  M  :  a. 

Let  P  be  a  term  occurrence  in  M,  and  let  Azi  ,  ,  Xxn  be  those  A ’s  whose  scope 

contains  P.  Let  V  contain  a  formula  P  :  7  in  the  same  position  that  P  has  in  the 
construction  tree  of  M,  and  let 


*1  ' 
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be  the  assumptions  above  P  :  7  that  are  discharged  by  applications  of  (— ►  i)  below  it. 
Assume  that  P  :  7  is  not  in  Ti  .  Let  Q  be  a  term  such  that  FW(Q)  C  F V(P),  and 
let  Tj  be  a  basis  in  which  xi,...,xn  do  not  occur  free  such  that 

Tj,  xi :  6i,...,xn  :  6n  Hta  Q  •  7- 

Let  M*  be  the  result  of  replacing  P  by  Q  in  M.  Then 

Ti  U  Tj  Hta  M*  :  a. 

Proof  See  Hindley  &  Seldin  [HS86]  Lemma  15.16.  ■ 

Using  this  lemma  and  the  subject-construction  theorem,  it  is  easy  to  prove  the 
following  theorem: 

Theorem  2.1  (Subject-reduction  theorem)  Let  T  be  a  variables-only  basis.  If 

T  Hta  M  :  a 

and  MN,  then 

T  Hta  N  :  a. 

Proof  See  Hindley  &  Seldin  [HS86]  Theorem  15.17.  ■ 

From  these  results,  we  can  see  that  deductions  in  TA  correspond  to  typed  terms 
in  the  sense  of  Definition  1.3. 


Definition  2.2  (Correspondence  between  deductions  and  terms)  For  each 
deduction  V  of  TA,  a  typed  term  \V\  in  the  sense  of  Definition  1.3  whose  type  is 
the  type  of  the  conclusion  of  V,  is  defined  as  follows: 

(a)  If  M  :  a  is  an  assumption,  then  \M  :  o|  is  a  typed  variable  xa  of  type  a.  This 
variable  must  be  so  chosen  that  it  is  not  assigned  to  any  other  assumption  which  is 
not  also  of  the  form  Mca  ;  but  if  M  :  a  is  a  discharged  assumption  then  the  same 
variable  must  be  assigned  to  any  other  assumptions  of  the  form  M  :  a  which  are 
discharged  at  the  same  inference  by  (-♦  i); 

(b)  If  V  is 


V\  V2 


M  :  a  -+  (3  N  :  a 


MN:0 


(—  e) 
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then  |2?|  =  P1IP2I; 

(c)  If  V  is 

1 

[x  :  a] 

M:0 

-  ( —  i  -  1) 

Xx.M  :  a  -*  P 

then  p|  =  Ava.pi|  where  va  =  \x  :  a|. 

(This  is  not  quite  a  one-to-one  correspondence  because  the  condition  on  typed  vari¬ 
ables  in  (a)  is  almost  impossible  to  satisfy  with  one  definition  for  all  deductions 
in  a  way  that  is  consistent  with  the  changes  of  bound  variables  required  to  de¬ 
fine  substitution.  But  for  any  small  set  of  deductions,  it  is  locally  a  one-to-one 
correspondence.) 

This  correspondence  suggests  that  we  define  reduction  steps  for  deductions  as 
well  as  for  terms.  These  reduction  steps  turn  out  to  be  similar  to  the  D- reduction 
steps  of  Prawitz  [Pra65]  (see  Section  3.3): 

Definition  2.3  (/^-reduction  steps  for  deductions)  A  deduction  of  the  form 


1 

[x  :a] 
V1(x) 

M  :  0 

Xx.M  :a  -*  P 


(Xx.M)N  :  P 
Vz 


P2 

N  :  a 


(-e) 
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reduces  to 


Z>3 

N  :  a 
Vi(N) 

[N/x]M  :  (3 
T>'z 

where  V'3  is  obtained  from  V3  by  replacing  appropriate  occurrences  of  (A x.M)N  by 
[N/x\M  according  to  Lemma  2.1. 

Using  Definition  2.3  ,  we  can  prove  the  following  result: 

Theorem  2.2  (Normalization  theorem  for  deductions)  Every  deduction  in 
TA  can  be  reduced  to  a  deduction  which  cannot  be  reduced  further. 

This  can  also  be  proved  directly;  see  Hindley  &  Seldin  [HS86]  Theorem  15.31. 
By  the  subject-construction  theorem,  it  follows  that  if  there  is  a  deduction  V  of 
M  :  a  from  a  variables-only  basis,  and  if  there  is  a  /3-redex  in  M ,  then  V  can  be 
reduced  by  a  /3-reduction  step  for  deductions.  This  gives  us  the  following  corollary. 

Corollary  2.2.1  (Normalization  theorem  for  terms)  Let  T  be  a  variables 
only  basis.  If 

T  Hta  M  '•  a> 

then  M  has  a  normal  form. 

(See  Hindley  &  Seldin  [HS86]  Corollary  15.31.1.) 

A  deduction  which  cannot  be  further  reduced,  which  is  usually  called  a  normal 
deduction,  has  the  property  that  there  is  no  inference  by  (— ►  i)  whose  conclusion  is 
the  major  (left)  premise  for  an  inference  by  (— ►  e).  It  follows  from  this  that  if  one 
takes  a  normal  deduction  (in  tree  form)  and  starts  with  any  assumption,  whether 
discharged  or  not,  then,  as  one  proceeds  down  the  tree,  one  cannot  come  to  a  major 
premise  for  an  inference  by  (-►  e)  below  an  inference  by  (— ►  i)  unless  one  passes 
through  a  minor  (right)  premise  for  an  inference  by  (— *■  e)  in  between.  Let  us  define 
a  branch  of  a  deduction  to  be  a  sequence  Ai,  A2, . . .  An  of  formula  occurrences  such 
that  Ai  is  a  (discharged  or  undischarged)  assumption,  for  each  i  <  n,  A,-  is  the 
premise  for  an  inference  (but  not  the  right  premise  for  an  inference  by  (— ►  e))  and 
A,'+i  is  the  conclusion,  and  An  is  either  the  conclusion  of  the  deduction  or  else 
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the  right  premise  for  an  inference  by  (— ►  e).  Then  each  branch  consists  of  zero  or 
more  left  premises  for  inferences  by  (-*  e)  followed  by  premises  for  inferences  by 
(— *■  i).  (Under  certain  circumstances,  a  branch  may  begin  with  the  premise  for  an 
inference  by  (=«).)  It  follows  that  any  deduction  proceeds  by  breaking  the  types  of 
the  assumptions  down  into  their  constituent  parts  and  then  putting  the  parts  back 
together  to  get  the  type  of  the  conclusion.  There  are  a  number  of  consequences  of 
this  fact,  among  them  the  following: 

Corollary  2.2.2  (Subtype  property)  In  any  normal  deduction  in  TA,  every  type 
appearing  in  a  formula  of  the  deduction  is  a  subtype  of  the  type  of  one  of  the  as¬ 
sumptions  or  else  of  the  conclusion. 

Another  consequence  of  this  structure  of  normal  deductions  is  the  following: 

Corollary  2.2.3  If  the  type  of  the  conclusion  of  a  normal  deduction  is  atomic,  then 
there  is  no  inference  by  (— » i)  in  the  leftmost  branch  (i.e.,  the  branch  that  begins  with 
the  top  left  assumption  and  ends  with  the  conclusion  of  the  deduction). 

Remark  It  is  not  hard  to  extend  this  theory  to  extended  typed  A-terms.  All  we 
need  to  do  is  to  add  some  new  constants  and  assign  them  new  types  using  axiom 
schemes  as  follows: 

(D)  D aj)  :  a -+ (3 -+a  x  0, 

(fst)  fsto,,/* :  a  x  f3  ->  a, 

(snd)  snd0i/j :  a  x  (3  -*■  /?, 

(ini)  inlajj  :  a  -♦  a  +  /?, 

(inr)  inra>0  :  (3  — ►  a  -f  /3, 

(case)  casea,/3,7  :  a  +  /?  -♦  (a  -*•  7)  (/?  -♦  7)  -*•  7, 

(0)  0  :  N, 

(a)  a  :  N  ->  N, 

and 

(Ra)  Ra  :  a  — ►  (N  — ►  a  — *•  a)  — ►  N  — *  a. 

We  also  assume  that  these  constants  satisfy  the  contractions  obtained  from  the 
first  four  of  Definition  1.9  by  dropping  type  superscripts.  For  some  purposes,  as  we 
shall  see  in  Section  3.4,  we  are  not  interested  in  the  constants  0,  <r,  and  Ra.  The 
system  without  the  constants  0,  <r,  and  Ra(and  without  the  atomic  type  N)  will 
be  called  extended  TA.  The  system  with  N,  0,  <7,  and  Rawill  be  called  extended  TA 
with  arithmetic. 
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2.2  Type  variables  and  principal  type  scheme 

As  we  saw  in  Example  2.1  above, 


Ax.x  :  a  — ►  a 

for  every  type  a.  It  follows  that  if  9  is  any  atomic  type,  then 

Ax.x  :  9  -*  9. 

It  seems  dear  that  any  other  type  assigned  to  Ax.x  can  be  obtained  from  the  type 
9  — ►  9  by  “substituting”  some  other  type  for  9.  It  would  be  nice  to  formalize  and 
generalize  this  property  of  type-assignment. 

The  notion  of  “substitution”  into  a  type  would  make  more  sense  if  we  had  type 
variables.  Hence,  we  extend  Definition  2.1  as  follows: 

Definition  2.4  (Type  schemes)  The  atomic  type  constants  or  type  constants  win 
be  the  atomic  type  symbols  of  Definition  1.1.  We  assume  that  we  have  infinitely 
many  type  variables ,  which  will  be  denoted  a,  6,  etc.  Then  type  schemes  are  defined 
as  follows: 

(a)  Type  constants  and  type  variables  axe  (atomic)  type  schemes; 

(b)  If  a  and  /3  are  type  schemes,  then  so  is  (a  — *■  /?). 

A  type  is  a  type  scheme  in  which  no  type  variables  occur.  A  type  scheme  /?  is  a 
substitution  instance  of  a  type  scheme  a  if  0  is  obtained  from  a  by  substituting 
types  for  type  variables;  i.e.,  if  there  are  type  variables  aj,  03,  ...,  a„  and  type 
schemes  71,  72,  . . . ,  7n  such  that 

0  =  [7i/fli>  72/<*2,  ....  7 n/onja.1 

From  now  on,  we  will  assume  that  TA  is  defined  using  type  schemes  instead  of 
types. 

Now  the  property  of  type  assignment  that  we  noted  at  the  beginning  of  this 
section  can  be  formulated  by  saying  that  any  type  or  type  scheme  assigned  to  Ax.x 
is  a  substitution  instance  of  a  -*  a.  We  axe  interested  in  knowing  which  terms  are 
assigned  a  type  scheme  with  the  property  that  any  other  type  scheme  assigned  to  the 
term  is  a  substitution  instance  of  the  given  one.  A  type  scheme  with  this  property 
deserves  a  special  name. 

1  We  are  ignoring  for  the  moment  types  a  x  f)  and  a  +  ff.  The  reasons  for  this  will  become 
apparent  in  Section  2.4  below. 
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Definition  2.5  (Principal  type  scheme)  Let  M  be  a  closed  term.  Then  a  type 
scheme  a  is  called  a  principal  type  scheme  ( p.t.s .)  of  M  if  and  only  if 

Hta  M  •  ot' 

holds  for  a  type  scheme  a'  when  and  only  when  a1  is  a  substitution  instance  of  a. 

This  definition  clearly  works  only  for  closed  terms;  i.e.,  for  terms  with  no  free 
variables.  For  terms  with  free  variables,  we  need  to  generalize  this  definition.  First, 
we  define  an  FV(M)-basis  for  a  term  M  to  be  a  basis  of  the  form 

M\  .  Oil,  M2  •  &2>  •  •  •  ,  Mn  .  Or, 

in  which  each  Mi  is  a  variable  which  occurs  free  in  M. 

Definition  2.6  (Principal  pair)  Let  M  be  a  term  whose  free  variables  are 
zj,  i2>  •••>  xn.  Then  a  pair  (r,a)  is  called  a  principal  pair  (p.p.)  of  M,  and 
a  a  p.t.s.  of  M,  if  and  only  if  T  is  an  FV(Af)-basis  and 

r'  hTA  M  :  a' 

holds  for  an  FV(M)-basis  T'  and  a  type  scheme  a'  when  and  only  when  T'  and  a1 
are  obtained  from  T  and  a  respectively  by  the  same  substitution. 

Example  2.4  Xx.x  has  p.t.s.  a  — ►  a  . 

Example  2.5  Xx.xx  is  not  assigned  any  type  by  TA. 

These  examples  should  make  it  clear  that  the  following  theorem  holds;  its  proof, 
although  simple  in  principle,  is  complicated  to  write  out  and  will  not  be  given  here. 
(See  Hindley  &  Seldin  [HS86]  Theorem  15.26  and  Theorem  14.40.) 

Theorem  2.3  (P.t.s.  theorem)  Every  pure  \-term  M  to  which  a  type  scheme  is 
assigned  by  TA  using  only  FV(M)~bases  has  a  p.t.s.  and  a  p.p. 

It  is  worth  noting  that  the  use  of  type  variables  makes  it  possible  to  make  general 
assertions.  The  fact  that  Xx.x  has  as  a  p.t.s.  a—*  a  means  that  it  has  type  a  a 
for  all  types  a.  Thus,  a  statement  such  as 

Fta  A x.x  :  a-*  a 

makes  a  statement  about  all  types  a.  This  same  method  of  making  general  state¬ 
ments  about  types  is  used  in  the  programming  language  ML  (see  Gordon  et  al. 
[GMW79]  and  Milner  [Mil85]  and  [MU78]). 
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2.3  Universal  quantification  over  all  types 

We  have  seen  how  to  use  type  variables  to  make  statements  about  all  types.  But 
the  system  we  have  above  is  still  not  what  is  usually  needed  for  making  and  using 
such  statements  in  a  programming  language.  For  example,  in  a  language  such  as 
FORTRAN  or  PASCAL,  programs  that  differ  only  in  the  types  of  their  variables 
need  to  be  duplicated  and  compiled  separately.  A  language  such  as  ML  avoids  this 
problem  by  using  type  variables  and  having  a  rule  of  substitution  for  them.  We 
could  easily  imitate  ML  by  adding  a  rule  such  as 

M  :  a 

M  :  \0/a]a  , 

but  this  seems  to  be  in  some  ways  incompatible  with  the  subject-construction  theo¬ 
rem.  The  alternative  which  suggests  itself  is  to  add  an  explicit  universal  quantifier. 

A  system  with  this  explicit  universal  quantifier  is  already  known;  it  was  intro¬ 
duced  independently  by  Girard  [Gir71]  and  Reynolds  [Rey74].  The  definition  of 
type  is  extended  by  specifying  that  if  a  is  a  type  variable  and  a  is  a  type,  then 
(Va)a  is  a  type.  For  this  to  make  complete  sense,  we  need  to  keep  track  of  the 
types  of  bound  variables;  thus,  if  the  type  of  x  is  a,  then  we  shall  write  Xx:a  .  M 
instead  of  A x.M.  For  example,  the  identity  function  on  type  a  will  now  be  written 
Ax:a  .x.  If  we  take  the  type  to  be  the  type  variable  o,  then  we  have  Ax:  a  .  x,  which 
has  type  a  -*  a.  Obviously,  some  term  related  to  this  one  should  be  in  the  type 
(Va)(a  — >  a),  and  the  fact  that  the  term  has  this  type  should  express  the  fact  that 
in  TA  a  p.t.s.  of  Ax.x  is  a-*  a.  To  construct  the  term  we  need,  we  add  a  new 
abstraction  operator,  from  a  type  variable  a  and  a  term  Af.  In  our  example,  the 
term  in  (Vo)(o  — ►  a)  is  Aa  .  Ax:  a  .  x.  To  go  with  this  new  abstraction  operator,  we 
need  a  new  application:  the  result  of  applying  a  term  M  to  a  type-scheme  0  will 
be  M0.  In  our  example,  we  will  have  the  term  (Aa  .  Ax:  a .  x)0,  which  we  expect 
to  be  assigned  type  0  -*  0  and  to  reduce  to  Ax:/3  .  x.  In  general,  we  expect  to  have 
the  “/^"-contraction  of  (Aa.M)fi  to  \J3/a]M .  We  also  have  the  following  new  type 
assignment  rules: 

(Ve)  M  :  (Va)a  Condition:  0  is  a  type. 

M0  :  [0/a]a 

(Vi)  M  :  a  Condition:  a  does  not 

~  ~  occur  free  in  any  undis- 

A a.M :  (Va)a  ,  ,  .. 

v  charged  assumption. 


38 


One  effect  of  these  rules  is  to  give  us  functions  which  take  types  as  arguments. 
Such  functions  cannot  be  represented  in  the  type  structures  of  Section  2.1.  See  the 
second  note  before  Example  2.6  below. 

Note  that  with  our  new  notation,  rule  (— ►  i)  is  now  written  as  follows: 

1 

[*:«] 

M:/i 

Xx:a  .  M  :  a  — ►  /?. 

The  system  defined  this  way  is  called  the  second-order  polymorphic  typed  A-calculus, 
or,  for  short,  second-order  A-calculus.  To  define  it,  we  have  the  following  formal 
definitions: 

Definition  2.7  (Second-order  polymorphic  types  and  type  schemes) 
Assume  that  we  have  some  type  constants  and  infinitely  many  type  variables  as 
in  Definition  2.4.  Then  second-order  polymorphic  type  schemes  are  defined  as  fol¬ 
lows: 

(a)  all  type  constants  and  type  variables  are  type  schemes; 

(b)  if  a  and  /3  are  type  schemes,  then  so  is  (a  -*  /?);  and 

(c)  if  a  is  a  type  scheme  and  a  is  a  type  variable,  then  (Va)a  is  a  type  scheme.  An 
occurrence  of  a  type  variable  a  in  a  type  scheme  a  is  said  to  be  bound  if  it  is  inside  a 
subtype  scheme  of  the  form  (Va)a;  otherwise  it  is  free.  A  second-order  polymorphic 
type  is  a  second-order  polymorphic  type  scheme  in  which  every  occurrence  of  a  type 
variable  is  bound.  The  set  of  all  type  variables  free  in  a  is  called  FV(a). 

Definition  2.8  (Second-order  polymorphic  A-terms)  Assume  that  we  have 
infinitely  many  term  variables,  distinct  from  the  type  variables,  and  perhaps  some 
constants ,  each  constant  having  a  type  scheme  assigned  to  it.  Then  second-order 
polymorphic  X- terms  are  defined  as  follows: 

(a)  every  constant  and  variable  is  a  term; 

(b)  if  M  and  N  are  terms,  then  so  is  (MiV); 

(c)  if  x  is  a  variable,  a  a  type  scheme,  and  M  a  term,  then  (Aar.ct .  Af )  is  a  term; 

(d)  if  M  is  a  term  and  a  is  a  type  scheme,  then  Ma  is  a  term;  and 

(e)  if  a  is  a  type  variable  and  M  is  a  term,  then  (Aa.Af )  is  a  term. 

An  occurrence  of  a  term  variable  x  in  a  term  P  is  said  to  be  bound  if  it  is  inside  a 
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subterm  of  the  form  A x:a  .  M;  otherwise  it  is  free.  An  occurrence  of  a  type  variable 
a  in  a  term  P  is  bound  if  it  is  inside  a  subterm  of  the  form  A a.M;  otherwise  it  is 
free.  The  set  of  all  term  and  type  variables  free  in  M  is  called  FV(Af). 

Definition  2.9  (Substitution)  Substitution  of  terms  for  term  variables  and  type 
schemes  for  type  variables  is  defined  much  as  in  Definition  2.6;  in  particular,  bound 
term  and  type  variables  are  automatically  changed  to  avoid  conflicts. 

Definition  2.10  (Change  of  bound  variables)  A  change  of  bound  variables  in 
a  type  scheme  or  term  is  any  of  the  following  replacements: 

(a)  (Vo)/?  by  (Vb)[b/a]p  if  b#  FV(/?); 

(b)  Aa.Mby  A6.[6/a]Af  if  b  g  FV(M); 

(c)  Ax:/?  .  M  by  Ay:/?  .  [y/x]M  if  y0  FV(M). 

Definition  2.11  (^-reduction)  For  terms  P  and  Q,  we  say  that  P  ft -reduces  to 
Q  (P  p  Q,  or  PQ)  if  and  only  if  Q  is  obtained  from  P  by  a  finite  (perhaps  empty) 
series  of  changes  of  bound  variables  and  the  following  kinds  of  contractions: 

(Z?1)  (A x:a  .  M)N  0  [ N/x]M ; 

(/?2)  (Aa.M)a  0  [a/a]M. 

Conversion  is  defined  from  this  reduction  as  in  Definition  1.7. 

Definition  2.12  (The  type  assignment  system  TAP) 

TAP  (second-order  polymorphic  type  assignment)  is  a  natural  deduction  system. 
Its  formulas  are  the  type  assignment  formulas 

M  :  a, 

where  M  is  a  second-order  polymorphic  term  (Definition  2.8)  and  a  is  a  second- 
order  polymorphic  type  scheme  (Definition  2.7).  TAP  has  axioms  which  assign 
types  to  atomic  constants  if  there  are  any;  otherwise  it  has  no  axioms.  Its  rules  are 
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as  follows: 


(Vi)  M  :  a 

Xa.M  :  (Vo)a 

«)  M:fi 

N:0 

(=")  M  :  0 


Condition:  a  is  a  type 
variable  which  is  not 
free  in  any  undischarged 
assumption. 

Condition:  N  is  ob¬ 
tained  from 

M  by  changes  of  bound 
variables. 

Condition: 

7  is  obtained  from  0  by 
changes  of  bound  vari¬ 
ables  and  M  :  /3  is  not 
the  conclusion  of  a  rule. 


Notes 

1.  Rules  (='a)  and  (=£)  have  not  been  postulated  in  the  literature;  however,  it 
is  standard  to  ignore  changes  of  bound  variables  and  the  rules  seem  necessary 
to  formalize  this  practice.  Note  that  while  rule  (=«)  is  restricted  the  way  rule 
(=a)  is  in  TA  (Definition  2.1),  rule  (='a)  is  not.  In  fact,  if  the  latter  rule  were 
so  restricted,  it  would  be  impossible  to  deduce  statements  of  the  form  Xa.M : 
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(yb)/3  unless  a  and  b  were  the  same  or  there  were  an  assumption  of  this  form. 


2.  As  we  saw  above  we  now  have  functions  which  take  types  for  arguments,  which 
are  not  part  of  the  type  structures  defined  in  Section  2.1,  so  these  type  struc¬ 
tures  are  not  models  for  TAP.  In  fact,  Reynolds  [Rey84]  has  shown  that  there 
are  no  models  for  TAP  in  which  the  types  are  interpreted  as  sets  as  in  type 
structures.  There  are  models  of  TAP  in  terms  of  category  theory,  but  many 
people  who  do  not  know  category  theory  do  not  find  such  models  helpful.  For 
computer  scientists,  it  is  probably  best  to  think  of  the  terms  of  TAP  as  having 
only  computational  meaning. 

3.  Some  writers  use  a  different  notation:  M{a)  instead  of  Ma  and  Aa.M  for 
A a.Af .  The  notation  used  here  does  not  hide  any  important  distinctions  which 
are  not  clear  from  the  context  and  is  somewhat  cleaner  than  the  alternative. 

Example  2.6  The  informal  discussion  before  Definition  2.7  corresponds  to  the  fol¬ 
lowing  formal  deduction  in  TAP: 


1 

[x  :  a] 


A x:a  .  x  :  a  — ►  a 


(-1-1) 


Aa  .  Ax:  a  .  x  :  (Va)(a  -»  a) 


(Vi) 


(Aa  .  Ax:  a  .  x)/3  :  /3  — *•  /? 

Note  that  the  term  in  the  conclusion  reduces  to  A x:/3  .  x. 


(Ve) 


For  the  further  theory  of  TAP,  including  the  normalization  theorem,  see  Fortune 
et  al.  [FL083]  and  Mitchell  [Mit86j.  For  a  proof  of  the  Church- Rosser  theorem  for 
the  reduction  defined  in  Definition  10,  see  van  Daalen  [Daa80j,  §  II.6. 
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2.4  The  power  of  second  order  quantification 

It  might  appear  that  the  next  order  of  business  is  to  add  the  type  forming  operators 
x  and  +  and  to  arrange  to  add  the  new  atomic  type  N.  However,  these  additions 
turn  out  to  be  unnecessary;  for  all  of  these  can  be  defined,  as  can  their  associated 
functions. 

Definition  2.13  (Cartesian  product  type)  Let  a  and  0  be  any  two  type 
schemes  in  TAP,  and  let  a  be  a  type  variable  which  does  not  occur  free  in  a  or 
0.  Then  the  product  type  scheme  ax  0  and  its  associated  pairing  and  projection 
operators  are  defined  as  follows: 

(a ) aX0s  (Va)((a  -►(/?-*■  a))  -+  a); 

(b)  Dc,/?  s  A  x:a  .  A  y.0  .  A  a  .  A  r.a  -*  {0  -*■  a) .  zxy\ 

(c)  fsta,£  =  Xx:a  x  0  .  xa(A tea  .  Xv:0  .  u);  and 

(d)  snd0iiu  s  Xx:a  x  0  .  x0(Xu:a  .  Xv.0  .  t>). 

It  is  not  at  all  difficult  to  prove  that  from  these  definitions  we  have 

Da,/J :  a  -*  (0  -*  a  x  0), 
fstajj :  a  x  0  -*  a, 

and 

snda,0  :  a  x  0  -*  0. 

Furthermore,  we  can  easily  see  that 

ia«j3(P*j}MN)  =.  M 

and 

sndai/j(DawgAflV)  =.  N. 

Definition  2.14  (Disjoint  union  type)  Let  a  and  a  be  any  two  type  schemes  in 
TAP,  and  let  a  be  a  type  variable  which  does  not  occur  free  in  a  or  0.  Then  the 

disjoint  union  type  scheme  a  +  0  and  its  associated  injection  and  case  operators  are 

defined  as  follows: 

(a)  a  +  0  s  (Va)((a  -mx)->  ((0  -+a)-+  a)); 

(b)  inlOJ3  S  Xx:a  .  X a  .  A f:a  -*  a  .  X g\0  -*  a  .  fx ; 

(c)  inrajj  s  A  y.0  .  X  a  .  A  f:a  — *•  a  .  A  g\0  -*  a  .  gy\ 

(d)  casea^  =  Ana  +  0  .X a  .  Xf:a  -*■  a  .  Xg:0  ->  a  .  zafg. 
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It  is  easy  to  show  that  these  definitions  imply 

inlai/j :  a  -*■  a  +  0, 

inraJ3  :  0  -*•  a  +  0, 

and 

cas*Ot0  :a+0->  (Va)((a  -+  a)  -*  ((0  -*■  a)  -+  o)). 

Furthermore,  it  is  easy  to  show  that  if  7  is  any  type  scheme  and  if  M ,  N,  F,  and 
G  are  any  terms  assigned  types  a,  0,  a  — ►  7,  and  0  — *■  7  respectively,  then 

casea j3(in\ai0M)"fFG  =,  FM 


and 

caseat^(inra^iV)7F<j!  =.  GiV. 

It  turns  out  that  we  can  also  define  the  type  void: 

Definition  2.15  (Void  type)  void  2  (Va)a. 

Then  if  M  :  void,  and  if  a  is  any  type,  then  Ma  :  a.  It  follows  that  if  M  is 
any  closed  term  such  that  M  :  void,  and  if  0  is  any  type  constant,  then  MB  is  a 
closed  term  assigned  type  6  .  This  together  with  the  normalization  theorem  prove 
the  following  result: 

Theorem  2.4  There  is  no  closed  term  M  such  that 

Htap  M  :  void. 

We  cam  also  define  the  natural  number  type  N: 

Definition  2.16  (Natural  number  type)  (a)  N  =  (Vo)((a  -+■  a)  — ►  (o  -*•  a)); 

(b)  0  =  Aa  .  Ai:a  -*•  a  .  Xy.a  .  y\ 

(c)  a  =  Au:N  .  Aa  .  A x:a  -*■  a  .  A y:a  .  x(uaxy); 

(d)  if  s  Au:N  .  sndN,N(u(N  x  N)  Q(DN,N00)), 

where  Q  =  Xv  :  N  x  N  .  DN)N(o,(fstN,Nt;))(fstNiNt;);  and 

(e)  R  s  Aa .  Ax:  a  .  Ay:N  -►  a  -*■  a  .  Az:N  .  z(N  — ►  a)P(Ate  :  N  .  x)z, 

where  P  =  At? :  N  -*■  a  .  Xw  :  N  .  y(irw)(v(irw)).  The  term  n,  which  represents  the 
natural  number  n,  is  defined  to  be 

o,(o,(...(<r0)...)), 
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where  there  are  n  occurrences  of  a. 

It  is  not  hard  to  show  that 

0  :  N, 
a  :N  ->N, 
ir  :  N  — ►  N, 

and 

R  :  (Vo)(o  -♦  (N  -»  a  ->  a)  -  N  -  a). 

It  is  also  easy  to  show  that 

n  =,  Ao  .  A x:a  -*  a  .  Xy:a  .  ®(x(...(arj/)...)), 
where  there  are  n  occurrences  of  x  after  the  last  abstraction, 

irO  =,  0, 


ir(<rn)  =,  n, 

and  also,  for  any  type  scheme  a  and  any  terms  M  and  N  of  types  a  and  N  -*•  a 
respectively, 

RaMNO  =,  M, 


and 

RaAfjV(<rn)  =.  Nn(RaMNn). 


a 


Finally,  we  can  define  an  existential  quantifier  over  all  types  to  go  along  with  our 
universal  quantifier. 


Definition  2.17  (Existential  quantifier  over  all  types)  Let  (3  be  any  type 
scheme,  and  let  a  be  a  type  variable,  which  may  occur  free  in  /?.  Then  the  ex¬ 
istential  quantifier  over  all  types  and  its  associated  operators  are  defined  as  follows: 


(a)  (3a)/?  ■  (V6)((Va)(/?  -  6)  -  b ), 

(b)  single^  =  Ac  .  Ax:[c/a]/?  .  A6  .  A *:(Va)(/?  ->•  b )  .  zcx , 

(c)  project^  =  Ax:(3a)/?  .  A6  .  A an(Va)(/?  -*  b)  .  xbz. 

It  is  easy  to  show  that 

single^  :  (Vc)([c/a]/?  -»•  (3a)a) 


45 


and 


project^  :  (3 a)/?  -*•  (V6)((Va)(/?  -*•  6)  -*•  6). 

It  is  also  easy  to  show  that  if  a  and  7  are  type  schemes  in  which  a  does  not  occur 
free  and  if  M  and  F  are  terms  assigned  types  [a/a]/3  and  (Va)(/3  — ►  7)  respectively, 
then 

project  p(sing\epaM)/yF  =,  FaM. 

Thus,  we  can  think  of  single^  as  a  kind  of  singleton,  or  one-tuple,  in  which  the  object 
has  type  [a/a\f3,  and  project^  is  as  close  as  we  can  come  to  a  projection  function. 
Note  that  the  type  for  single^  tells  us  that  if  M  is  a  term  of  type  [a /a]/?,  then 
single^aM  is  in  type  (3a)/?,  and  the  type  for  project^  tells  us  that  if  M  is  a  term 
of  type  (3 a)/?,  7  is  any  type  scheme  in  which  a  does  not  occur  free,  and  F  is  any 
term  of  type  (Va)(/?  — *■  7),  then  project pM-yF  is  in  type  7;  this  gives  us  one  of  the 
important  properties  of  existence  in  logic,  as  we  shall  see  in  Section  3.5. 

It  might  appear  that  we  can  obtain  a  true  projection  function  by  forming 
project  pN  7  F  where  FaM  =,  M .  But  this  fails  to  work,  for  in  this  case  F  must  be 
the  term 

A  a  .  Ax:  [a /a]/?  .  x, 

which  has  type  (Va)([a/a]/?  -♦  [a/a]/?),  which  means  that  a  must  be  a  and  7  must 
be  [a/a]/?,  which  is  just  /3  itself;  thus,  a  occurs  free  in  both  a  and  7,  which  violates 
the  conditions  for  the  type  of  project^  given  above. 

Note  Most  of  the  terms  defined  in  this  subsection  which  have  type  schemes  as 
parameters  can  be  defined  as  terms  representing  functions  applied  to  these  type 
schemes.  For  example,  if  we  define 

D  =  Aa  .  A6  .  Da>&, 

then  for  any  type  schemes  a  and  /?, 

Da/?  =*  Da^3. 

This  idea  also  works  for  fst,  snd,  ini,  inr,  case  and  R.  It  fails  to  work  for  single^  and 
project^  because  of  the  type  variable  which  occurs  free  in  /?  (in  the  interesting  cases) 
and  which  is  bound  in  the  definitions.  Furthermore,  since  we  do  not  have  in  TAP 
any  machinery  for  representing  functions  whose  values  are  types,  we  cannot  do  a 
similar  thing  for  a  x  /?  or  a  +  /3. 
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2.5  Generalized  type  assignment 

Although  the  two  term-forming  operators  — ►  and  V  may  appear  to  be  entirely  dis¬ 
tinct,  they  can  be  made  special  instances  of  a  more  general  type  forming  operator. 
This  more  general  operator  is  central  to  the  theory  of  constructions. 

This  more  general  operator  is  obtained  by  extending  the  meaning  of  “type”  in 
TA  by  defining  (Vx  :  a)/3  to  be  a  type  whenever  a  and  /?  are  types  and  x  does  not 
occur  free  in  a.  Here,  x  may  occur  free  in  (3.  Thus,  the  notion  of  type  used  here 
is  much  more  general  than  the  notion  of  type  in  TA.  But  let  us  ignore  this  for  the 
moment  and  look  at  the  elimination  and  introduction  rules  for  these  types,  which 
are  as  follows: 

(Va  e)  M  :  (Vx  :  a)/3  N:a 
MN  :  [N/x]0, 

(Va  i)  [x  :  a] 

Mifi 

X x:a  .  M  :  (Vx  :  a)/?. 

If  x  does  not  occur  free  in  (3,  then  (Vx  :  a)/?  behaves  just  like  a  — ►  /?,  and  the  above 
rules  become  (-*■  e)  and  (—►  i).  Hence,  if  (Vx  :  a)/?  is  a  type  whenever  a  and  (3  are 
types,  then  a  -+  /3  can  be  defined  to  be  (Vx  :  a)/3  for  a  variable  x  which  does  not 
occur  free  in  either  a  or  /?. 

Systems  like  this  are  called  systems  of  generalized  type  assignment,  and  are 
covered  in  Hindley  &  Seldin  [HS86]  Chapter  16  and  in  the  references  given  there. 
Note  that  the  notation  is  different  there,  since  what  we  are  denoting  by  (Vx  :  a) (3 
is  there  denoted  by  Ga(Xx./3),  and  what  is  there  denoted  by  G a/3  is  here  denoted 
by  (Vx  :  a)(/3x). 

As  we  noted  above,  the  definition  of  type  needed  for  this  sort  of  system  is  much 
more  complicated  than  that  used  in  TA.  In  TA  it  is  sufficient  to  define  types,  and 
except  for  type  variables  there  are  no  variables  which  occur  in  types.  But  here,  in 
order  to  have  a  system  which  is  really  more  interesting  than  TA,  it  is  necessary  to 
have  types  in  which  term  variables  occur.  This  means,  in  effect,  that  we  need  not 
only  types,  but  also  functions  whose  values  are  types.  Hence,  any  formalism  for 
generalized  type  assignment  must  include  terms  representing  such  functions. 

Systems  of  generalized  type  assignment  can  be  classified  by  the  kinds  of  func¬ 
tions  they  have  whose  values  are  types,  and  in  particular  by  what  kinds  of  domains 


Condition:  x 

does  not  occur  free  in  a 
or  in  any  undischarged 
assumption. 
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such  functions  can  have.  The  simplest  assumption  to  make  about  such  functions  is 
that  the  domains  axe  all  universal;  i.e.,  if  a  is  any  type  function  of  n  arguments  and 
M  is  any  term  whatsoever,  then  aM  is  a  type  function  of  n  -  1  arguments  (where, 
of  course,  n  >  1).  A  system  of  this  sort  is  called  basic  generalized  type  assignment, 
and  we  shall  look  at  such  systems  in  Section  2.7.  The  only  alternative  is  to  allow 
functions  whose  values  are  types  over  restricted  domains.  One  possibility,  for  ex¬ 
ample,  is  to  allow  functions  whose  values  are  types  when  the  arguments  are  natural 
numbers,  but  not  necessarily  otherwise.  Including  functions  of  this  kind  compli¬ 
cates  the  definition  of  the  systems:  either  the  definition  of  type  and  type  function 
must  list  each  restricted  domain  used,  or  else  the  machinery  of  type  assignment 
itself  must  be  used  to  define  the  functions  involved.  We  shall  see  more  about  this 
in  Section  2.8. 
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2.6  The  need  for  conversion  rules 

Before  we  proceed,  we  need  to  consider  the  question  of  conversion.  In  TA,  we  have 
the  subject-reduction  theorem  (Theorem  2.1),  which  says  that  type  assignment  is 
invariant  of  reduction.  As  we  shall  see  below,  a  similar  result  holds  for  generalized 
type  assignment.  For  this  reason,  we  have  not  paid  attention  to  conversions  among 
terms  to  which  types  are  assigned.  Furthermore,  in  TA,  the  structure  of  the  types 
is  so  simple  that  the  question  of  conversions  between  types  just  does  not  come  up. 
But  in  generalized  type  assignment,  the  structure  of  types  is  more  complicated,  and 
so  interesting  conversions  arise. 

The  best  example  of  this  can  be  seen  in  terms  of  the  system  TAGIJ  of  Section  2.8 
below  (Definition  2.24).  Suppose  one  of  the  types  is  U  of  that  system,  and  suppose 
we  internalize  the  definition  of  — *■  (which  we  discussed  in  Section  5)  as  follows  (using 
Curry’s  notation): 

F  =  Au:ll  .  Av:U  .  (V®  :  u)v. 

It  is  not  hard  to  show  that  F  has  type  (Vu  :  U)(Vv  :  U)U.  Now  suppose  we  have,  for 
a  :  U  and  /?  :  U, 

M  :  Fa/3 

and 

N  :  a 

We  would  like  to  be  able  to  conclude 

MN  :  (3. 

However,  to  do  this  with  our  rules  requires 

M  :  (V®  :  a)/?, 

whereas  all  we  have  is 

M  :  (Au:ll .  AwU  .  (V®  :  u)v)af3. 

It  is  true  that  this  latter  type  converts  to  (V®  :  a)/3,  but  with  the  rules  we  have  so 
far  this  is  no  help. 

To  solve  this  problem,  we  introduce  the  following  rule: 

(Eq")  M  :  a  a  =.  0 
M:/3 
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(On  the  reason  for  the  name  of  this  rule,  see  Hindley  &  Seldin  [HS86]  Section 
14E.) 

This  rule  is  often  written  as  follows: 


M  :  a 
Mifi 


(Eq") 


It  is  easy  to  reconstruct  the  right  premise. 

It  might  appear  that  the  introduction  of  this  rule  significantly  complicates  the 
nature  of  deductions  and  raises  problems  with  the  subject-construction  theorem. 
But  in  fact  it  is  possible  to  limit  the  places  in  which  this  rule  is  used: 


Theorem  2.5  In  a  system  of  generalized  type  assignment  in  which  the  rules  are 
(Va  e),  (Va  i),  (='a)  and  (Eq"),  (and  in  which  there  may  be  axioms),  any  deduction 
can  be  transformed  into  another  deduction  with  the  same  undischarged  assumption 
and  conclusion  in  which  each  inference  by  rule  (Eq") occurs  either  just  above  the 
major  (left)  premise  for  an  inference  by  rule  (Va  e)  or  else  just  above  the  conclusion. 


Proof  This  follows  from  the  fact  that  the  following  transformations  can  be  carried 
out  systematically  throughout  any  deduction: 

I. 

1 


to 


[*:«] 

V 

M:/3 
M  :  7 


(Eq") 


Ax:a  .  M  :  (Vx  :  0)7 


(Va  i  -  1) 


1 

[x  :a] 

V 

M:(3 

-  (Vai-1) 

Ax:a  .  M  :  (Vx  :  a)/3 

-  (Eq") 

Ax:a  .  M  :  (Vx  :  0)7 
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II. 


to 


in. 


to 


2>i 

M  :  (Vi :  f3) 7 


V2 

N  :  o 
N:(3 


MN  :  [N/ 1)7 


M  :  (Vi :  /?fr 
M  :  (Vi :  0)7 


(Eq") 


AfJV  :  [iV/i]7 


V 

M:a 
M  :  (3 


(Eq") 


N:(3 


V 

M  :  a 
N  :  a 


(='a) 


(Eq") 


N:/3 


V2 
N  :  a 


(='J 


(Eq") 


(Vo  e) 


(Vo  e) 
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2.7  Basic  generalized  type  assignment 

As  we  noted  in  Section  2.5,  the  simplest  form  of  generalized  type  assignment  assumes 
that  any  term  can  be  any  argument  of  any  type-valued  function.  The  system  based 
on  this  assumption  is  called  basic  generalized  type  assignment,  abbreviated  TAG. 

The  first  step  in  defining  this  system  is  to  define  the  terms  and  the  types.  In 
this  case,  the  types  will  all  be  terms,  so  we  begin  with  the  terms.  Because  type 
functions  will  take  any  terms  as  arguments,  it  turns  out  to  be  convenient  not  to 
carry  along  in  the  notation  the  type  of  each  bound  variable. 

Definition  2.18  (TAG  terms)  The  terms  of  TAG  are  defined  from  countably 
many  term  variables  zj,  Z2,  . ..,  xn,  ...,  and  some  term  constants,  including  a 
finite  or  infinite  sequence  of  constants  81,62,  ,  as  follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  M  and  N  are  terms,  then  so  is  ( MN );  and 

(c)  if  x  is  a  term  variable  and  A  and  M  are  terms,  then  (A x.M)  and  (Vz  :  A)M  are 
terms. 

With  each  constant  8,  is  associated  a  non-negative  integer  dg(0,)  called  its  degree. 
The  constants  0,  are  called  type  constants. 

Reduction  for  TAG  terms  will  be  defined  as  in  Definition  1.6;  The  only  possible 
contraction*  in  a  term  of  the  form  (Vz  :  A)M  will  be  those  which  take  place  entirely 
inside  A  and  M. 

Now  we  can  define,  the  types  and  type  functions.  Each  type  function  will  have 
a  rank  (the  number  of  occurrences  of  V)  and  a  degree 2.  The  types  will  be  the  type 
functions  of  degree  0. 

Definition  2.18  (Atomic  type  function)  A  term  a  is  said  to  be  an  atomic  type 
function  of  degree  n  if  and  only  if 

a  =  8M1M2  .  •  •  Aft, 

where  8  is  a  type  constant  of  degree  k  +  n  and  M\,  M3,  . . . ,  Mk  are  any  terms. 

Definition  2.20  (Proper  TAG  type  functions)  The  term  a  is  a  proper  TAG 
type  function  of  rank  m  and  degree  n  if  and  only  if  one  of  the  following  conditions 

JThe  number  of  arguments  needed  to  produce  a  type.  The  degree  of  a  type  constant  is  a  special 
case  of  the  degree  of  an  atomic  type  function,  which,  in  turn,  is  a  special  case  of  the  degree  of  a 
type  function. 
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is  met: 

(a)  a  is  an  atomic  type  function  of  degree  n  and  m  =  0; 

(b)  a  =  \x./3,  where  (3  is  a  proper  TAG  type  function  of  rank  m  and  degree  n  —  1 
(and  where,  of  course,  n  >  0); 

(c)  a  =  (Vx  :  (3) 7,  where  (3  and  7  are  proper  TAG  type  functions  of  degree  0,  n  = 
0,  and  m  =  1  +  rank(/3)  +  rank(7). 

Definition  2.21  (TAG  type  functions)  The  term  a  is  a  TAG  type  function  of 
rank  m  and  degree  n  if  and  only  if  there  is  a  proper  TAG  type  function  (3  of  rank 
m  and  degree  n  such  that  a/3.  A  TAG  type  is  a  TAG  type  function  of  degree  0. 

Theorem  2.8  The  degree  and  rank  of  a  TAG  type  function  are  unique.  Further¬ 
more,  TAG  type  functions  have  the  following  properties: 

Tl.  If  a  is  a  TAG  type  function  of  rank  m  and  degree  n  and  if  ft  is  any  term  such 
that  a  =,  /3,  then  (3  is  a  TAG  type  function  of  rank  m  and  degree  n; 

T2.  If  a  is  a  TAG  type  function  of  rank  m  and  degree  n,  then  A x.a  is  a  TAG  type 
function  of  rank  m  and  degree  n  +  1,  and  conversely; 

T3.  If  a  is  a  TAG  type  function  of  rank  m  and  degree  n  +  1  and  if  M  is  any  term, 
then  aM  is  a  TAG  type  function  of  rank  m  and  degree  n;  and 
T4.  (Vx  :  a)/3  is  a  TAG  type  function  of  rank  m  and  degree  0  if  and  only  if  a  and  (3 
are  TAG  type  functions  of  ranks  j  and  k  respectively  and  degree  0  and  m  =  1+j  +  k. 

Proof  See  Hindley  &  Seldin  [HS86]  Theorem  16.27  and  Remark  16.28.  ■ 

Definition  2.22  (The  type  assignment  system  TAG)  The  system  TAG  is  a 
natural  deduction  system.  Its  formulas  have  the  form 

M  :  a, 

where  Af  is  a  term  and  a  is  a  TAG  type.  TAG  has  no  axioms.  Its  rules  are  (Va  e), 
(Vai),(Eq")and(='J. 

Remark  It  might  seem  unnecessary  to  postulate  rule  (Eq")  here,  since  the  argument 
of  Section  2.6  does  not  apply  to  this  system.  But  it  is  traditional  to  postulate 
it,  especially  since  in  the  earliest  versions  (Vx  :  a)(3  was  only  an  abbreviation  for 
Ga(Ax./3),  and  rule  (Va  e)  had  to  be  obtained  from  the  following  rule: 

M  :  Ga/3  N  :  a 

MN  :  (3N. 
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To  obtain  our  rule  (Va  e)  from  this  rule  requires  rule  (Eqw);  indeed,  to  use  the 
elimination  rule  given  here  in  a  nontrivial  way  requires  rule  (Eq").  See  Hindley  & 
Seldin  [HS86]  Section  16D2. 

The  theory  of  TAG  is  similar  to  the  theory  of  TA  (Section  2.1).  There  are  some 
complications,  but  for  the  case  we  are  considering  here  they  are  not  serious.  For 
example,  rules  (Eq")  and  (='a)  complicate  the  subject-construction  property,  but 
a  version  of  the  property  holds  (see  Hindley  &  Seldin  [HS86]  Remark  16.37).  The 
replacement  lemma  (Lemma  2.1)  needs  some  modification,  but  a  version  of  it  can 
be  proved  that  will  work  with  the  subject-reduction  theorem  (Theorem  2.1),  which 
holds  for  ^-reduction.  (Hindley  &  Seldin  [HS86]  Lemma  16.39  and  Theorem  16.41). 
The  normalization  theorem  for  deductions  (Theorem  2.2)  also  holds  (Hindley  & 
Seldin  [HS86]  Theorem  16.45). 

In  fact,  TAG  is  not  much  stronger  than  TA.  It  can  be  shown  that  if  a  term 
is  assigned  a  type  by  TAG,  then  it  is  assigned  a  type  by  TA,  although  TAG  may 
assign  more  general  types.  (See  Hindley  &  Seldin  [HS86]  Theorem  16.61.)  And  if 
all  of  the  type  constants  have  degree  0,  then  TAG  is  equivalent  to  TA  (Hindley  & 
Seldin  [HS86]  Corollary  16.61.1).  These  facts  may  appear  to  show  that  TAG  is  too 
weak  to  be  interesting.  Perhaps  it  is  better  to  take  them  as  showing  that  TAG  is  a 
kind  of  conservative  extension  of  TA,  and  thus  that  the  basic  formalism  on  which 
TAG  is  based  is  sound.  This  can  give  us  some  confidence  in  extending  TAG,  as  we 
now  proceed  to  do  in  the  next  section. 
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2.8  Extended  generalized  type  assignment 

As  we  noted  at  the  end  of  Section  2.1,  there  are  two  ways  to  generalize  TAG:  one  is 
to  modify  the  definition  of  type  to  allow  certain  special  types  (such  as  the  type  N  of 
natural  numbers)  to  serve  as  restricted  domains  for  type  functions,  and  the  other  is 
to  use  the  machinery  of  type  assignment  itself  to  define  the  types.  Since  the  second 
approach  is  obviously  more  general,  we  shall  adopt  it  here. 

Thus,  we  now  suppose  that  that  there  is  a  type  of  types,  or  a  “universal”  type, 
which  for  now  we  shall  call  U.  All  the  types  in  which  we  are  interested  will  be  in 
U.  The  system  we  shall  define  here  will  be  called  “TAGU”.  The  reasons  we  had  for 
not  supplying  the  type  of  a  bound  variable  no  longer  apply,  so  we  shall  return  to 
the  more  familiar  notation. 

Definition  2.23  (TAGU  terms)  The  terms  of  TAGU  are  defined  from  countably 
many  term  variables  x%,  Z2,  xn,  ...,  and  some  term  constants,  which  include 
U,  as  follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  M  and  N  are  terms,  then  so  is  ( MN );  and 

(c)  if  a:  is  a  term  variable  and  A  and  M  are  terms,  then  (Az :  AM)  and  (Vz  :  A)M 
are  terms. 

Reduction  for  TAGU  terms  will  be  defined  using  the  /3l- redexes  of  Definition 
2.11.  The  only  possible  contractions  in  a  term  of  the  form  (Vz  :  A)M  are  those 
which  take  place  entirely  inside  A  and  M. 

Definition  2.24  (The  type  assignment  system  TAGU)  The  system  TAGU  is 
a  natural  deduction  system.  Its  formulas  have  the  form 

M  :  A 

where  M  and  A  are  terms.  It  has  no  axioms.  Its  rules  are  (Eq"),  (=«)»  and  the 
following: 
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Rules  of  type  formation : 

Condition:  x  does  not 
occur  free  in  A  or  in 
any  undischarged  as¬ 
sumption. 


Rules  of  type  assignment: 

(V  e)  M  :  (V®  :  A)B  N  :  A 
MN  :  [N/x]B 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 
assumption. 


Rule  (Eq'U)  is  a  natural  rule  to  go  with  rule  (Eq").  We  can  extend  the  proof  of 
Theorem  2.5  to  virtually  eliminate  it  from  any  deduction. 

Theorem  2.7  Every  deduction  in  TAGU  can  be  transformed  into  a  deduction  with 
the  same  undischarged  assumptions  and  conclusion  in  which  each  inference  by  either 
of  rules  (Eq")  and  (Eq'U)  occurs  just  above  the  major  (left)  premise  for  an  inference 
by  rule  (Eq'U)  (in  which  case  it  is  an  inference  by  rule  (Eq"))  or  just  above  the  minor 
(right)  premise  for  an  inference  by  rule  (VUi)  (in  which  case  it  is  an  inference  by 
rule  (Eq'U))  or  just  above  the  conclusion.3 

Proof  Note  that  each  rule  which  discharges  an  assumption  of  the  form  x  :  A  has 
a  premise  of  the  form  A  :  U  which  does  not  depend  on  the  discharged  assumption. 
Let  us  call  the  deduction  of  this  latter  premise  the  independent  subdeduction  of  the 

3Note  that  it  is  possible  to  have  an  inference  by  role  (Eq'U)  followed  immediately  by  an  inference 
by  rale  (Eq"),  the  conclusion  of  which  is  the  conclusion  of  the  deduction.  In  this  case,  the  inference 
by  rale  (Eq'U)  will  be  regarded  as  occurring  just  above  the  conclusion. 


(VUi)  [x  :  A] 

M  :  B  A:  U 

A x:A  .  M  :  (V®  :  A)B 


(V  Formation)  [®  :  A] 

A: U  5:U 

(V®  :A)B  :U 

(Eq'U)  A :  U  A=,B 

B:  U 
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rule  and  the  deduction  of  the  other  premise  the  dependent  subdeduction.  The  proof 
is  obtained  by  transformations  which  move  an  inference  by  one  of  the  equality  rules 
from  an  independent  subdeduction  of  a  rule  to  the  dependent  subdeduction  of  the 
same  rule  or  else  to  below  the  conclusion,  from  a  dependent  subdeduction  to  below 
the  conclusion,  from  just  above  a  minor  premise  of  (V  e)  to  just  above  the  major 
premise,  or  from  just  above  an  inference  by  (=a)  to  below  the  conclusion.  If  an 
inference  by  rule  (Eq")  occurs  just  above  an  inference  by  rule  (Eq'U),  then  the 
transformations  moving  the  latter  inference  are  applied  before  an  attempt  is  made 
to  move  the  former  (since  clearly,  an  inference  by  rule  (Eq")  occurring  just  above 
an  inference  by  rule  (Eq'U)  cannot  be  moved  below  it  without  invalidating  it).  The 
last  two  kinds  of  transformations  are  II  and  III  of  Theorem  2.5;  in  addition,  we  now 
need  the  following  transformations: 


IV. 


C :  U 


A:  U 


(Eq'U) 


1 

[s:A] 
V2(x) 
B:  U 


(Vx  :  A)B  :  U 
2>3 


(V  Formation  -  1) 
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C  :  U 


B  :  U 


(V  Formation  -  1) 


(Vx  :  C)B  :  U 


(Vx  :  A)5  :  U 


(Eq'U) 


2>i 

A:  U 


1 

[x:A] 

Z>2(*) 
C :  U 

U 


(Eq'U) 


(Vx  :  :  U 

V3 


(V  Formation  -  1) 


1 

[x:A] 

V\  V3(x) 

AiV  C : U 


(Vx  :  A)C :  U 


(Eq'U) 


(V  Formation  -  1) 


(Vx  :  A)B  :  U 


VI. 
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to 


1 

[x:C] 


x  :  A 


(Eq") 


V\  2?2 

M\B  C : U 

-  (VUi-1) 

As:C  ■  M  :  (Vz  :  C)B 

\x:C  .  M  :  (Vz  :  A)B 

*>3 

Note  that  this  transformation  changes  the  type  of  the  bound  variable  in  the  term 
to  the  left  of  the  colon,  and  therefore  cannot  be  used  with  this  theorem. 

This  system  is  a  part  of  the  type  theory  of  Martin- Lof,  and  is,  in  fact,  one  of  the 
most  important  parts;  see  the  references  listed  under  his  name.  At  the  same  time, 
the  system  has  some  weaknesses.  For  example,  it  is  weaker  than  TAP:  the  condition 
A  :  U  in  rule  (VUi)prevents  inferences  corresponding  to  those  by  rule  (Vi)in  TAP 
because  U  :  U  does  not  hold.4  There  are  several  ways  one  might  extend  this  system. 
One  might  follow  Martin-Lof  himself  by  introducing  more  universes.  Thus,  the  type 
U  would  become  Uo,  and  a  new  sequence  of  types  Ui,  U2,  ...,  Un,  ...(finitely  or 
infinitely  many)  would  be  introduced  with  axioms  such  as  Un  :  Un+i  and  rules  such 
as  the  following: 

A:  Un 


A : Un+1 

Then  in  rules  (V  Formation)  and  (VUi),  U  may  be  replaced  by  any  U„.  But  this 
system  is  still  weaker  than  TAP. 

Another  way  to  extend  TAGU  is  to  add  two  more  rules:  the  formation  rule 


[z  :  U]  Condition:  x  does  not 
^  .  y  occur  free  in  any  undis¬ 
charged  assumption. 

(Vz  :  U)A  :  U 


4In  fact,  adding  U  :  U  to  TAGU  makes  the  system  inconsistent;  see  [Coq86a]. 
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and  the  type  assignment  rule 


[x  :  U] 

M'.A 

Ax:U  .  M  :  (Vx  :  U)A. 


Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 


This  system  is  called  TAGL  in  Hindley  &  Seldin  [HS86]  §16E,  since  there  U  is 
called  L.  Furthermore,  TAP  can  be  interpreted  in  this  system.  Nevertheless,  the 
system  is  still  not  as  strong  as  one  might  want,  since  one  might  wonder  why  not 
allow  x  :  U  — »  U  as  the  discharged  assumption. 

In  Chapter  4,  we  shall  consider  the  theory  of  constructions,  introduced  by  Co- 
quand  [Coq85].  This  turns  out  to  be  the  best  available  system  of  this  kind.  (See 
Chapter  4  for  further  references.) 
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Chapter  3 

CONSTRUCTIVE  LOGIC 


A  reader  who  has  read  this  far  is  now  in  a  position  to  understand  the  basic  rules 
and  the  metatheory  of  the  theory  of  constructions.  However,  there  is  an  important 
aspect  of  the  theory  of  constructions  that  we  have  not  discussed;  it  has  to  do  not  with 
the  underlying  rules  but  rather  with  its  intended  interpretation.  This  interpretation 
is  an  important  part  of  the  motivation  Coquand  had  in  creating  the  system.  Some 
readers  might  find  it  useful  to  consider  this  interpretation  before  proceeding  to  the 
theory  of  constructions  itself.  For  this  reason,  the  theory  of  constructions  will  be 
postponed  to  Chapter  4,  and  in  this  chapter  we  will  consider  that  interpretation. 

The  interpretation  is  what  is  usually  known  as  the  Curry-Howard  isomorphism , 
or  formulas-as-types  idea.  The  essence  of  it  is  that  in  systems  of  type  assignment, 
types  can  be  thought  of  as  formulas  and  terms  as  proofs  or  deductions.  We  will 
consider  this  here  for  constructive  logic,  and  it  is  with  this  that  we  will  begin  (in  the 
latter  part  of  this  introduction).  In  Section  3.1,  we  take  up  a  simple  fragment  of  the 
propositional  calculus  for  constructive  logic  in  which  the  only  logical  connective  is 
D  (if-then).  In  Section  3.2,  we  explain  the  essentials  of  the  formulas-as-types  idea. 
For  some  readers,  this  may  be  enough,  and  these  readers  are  invited  to  proceed  to 
Chapter  4  after  completing  Section  3.2. 

For  readers  who  want  more,  we  consider  in  Sections  3. 3-3.4  the  extension  of  these 
ideas  to  propositional  calculus  with  the  additional  connectives  A  (and),  V  (or),  and 
i  (not).  Again,  many  readers  may  wish  to  proceed  to  Chapter  4  after  completing 
Section  3.4. 

But  for  those  who  want  still  more,  we  consider  in  Sections  3.5-3.6  the  extension 
of  these  ideas  to  predicate  logic,  both  first  order  logic  (Section  3.5)  and  higher 
order  logic1  (Section  3.6).  The  systems  TAJ  and  TAT  presented  in  these  sections 

1I.e.l  simple  type  theory. 
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will  seem  strange  to  some  people,  and  they  axe  not  strictly  necessary  for  using  the 
theory  of  constructions,  but  they  do  give  some  useful  information  about  much  of  its 
motivation  and  intended  interpretation. 

Let  us  now  turn  our  attention  to  constructive  logic.  Most  people  who  have  heard 
of  constructive  lope  understand  that  it  has  something  to  do  with  existence  proofs. 
But  in  fact,  the  difference  between  classical  and  constructive  logic  involves  more 
than  that.  In  classical  logic  we  are  only  interested  in  whether  or  not  a  proposition 
is  true.  In  constructive  logic  we  are  interested  in  whether  or  not  a  proposition  has  a 
proof,  and  we  do  not  want  to  assert  its  provability  without  having  access  to  a  proof. 

This  difference  can  be  illustrated  with  formulas  involving  implication.  A  formula 
AD  B  is  classically  false  when  A  is  true  and  B  is  false;  it  is  true  for  all  other 
combinations  of  truth  values  for  A  and  B.  Note  that  its  truth  value  depends  only 
on  the  truth  values  of  A  and  B\  how  these  truth  values  are  established  is  classically 
irrelevant. 

In  constructive  logic,  implication  is  not  truth  functional;  the  truth  of  A  D  B 
depends  on  much  more  than  the  truth  values  of  A  and  B.  In  fact,  instead  of 
specifying  when  AD  B  is  true,  we  need  to  specify  what  it  means  to  have  a  proof  of 
AD  B.  The  standard  constructive  specification  is  as  follows:  a  proof  of  AD  Biss. 
function  [program]  which,  given  any  proof  of  A  as  an  argument  [input],  produces  a 
proof  of  B  as  a  value  [output]. 

Truth  in  classical  logic  (at  least  propositional  logic)  can  be  defined  by  means  of 
truth  tables.  In  constructive  logic,  however,  we  really  need  to  introduce  a  kind  of 
calculus  of  proofs. 


63 


3.1  The  D -calculus 

One  way  of  defining  a  system  of  formal  logic  that  seems  especially  suited  to  construc¬ 
tive  logic  is  to  use  a  natural  deduction  system  of  the  kind  introduced  by  Jankowski 
[Jas34]  and  Gentzen  [Gen34]  and  studied  extensively  by  Prawitz  [Pra65]  .  We  have 
seen  the  method  of  writing  rules  used  by  Gentzen  and  Prawitz  in  Section  2.1,  but  we 
have  not  really  discussed  natural  deduction  systems  as  such.  In  a  natural  deduction 
system,  each  logical  constant  is  characterized  by  two  rules,  one  for  introducing  it 
and  one  for  eliminating  it.  In  the  case  of  implication,  these  two  rules  are  as  follows: 

(D  e)  A  D  B  A  (D  i)  [A] 

B  B 

Ad  b 

Rule  (D  e)  is  also  known  as  modus  ponens ,  and  rule  (D  i)  is  sometimes  called  the 
deduction  theorem. 

A  formal  calculus  of  propositional  logic  for  the  constructive  theory  of  D  can  be 
defined  as  follows: 

Definition  3.1  (D-formulas)  Assume  that  there  are  (finitely  or  countably  many) 

atomic  formulas  E\,  E2,  ...,  En, _  Then  D-formulas ,  or  formulas  are  defined 

as  follows: 

(a)  Every  atomic  formula  is  a  formula; 

(b)  If  A  and  B  are  formulas,  then  so  is  (A  D  B).  Unnecessary  parentheses  will  be 
omitted.  Furthermore, 

Ai  D  A2...An  D  B 
will  be  regarded  as  an  abbreviation  for 

AiD  ( A2D  (...(AnO  £)...)). 

Definition  3.2  (The  formal  calculus  NA(d))  The  formal  calculus  NA(l))2is  a 
natural  deduction  system.  Its  formulas  are  D-formulas.  It  has  no  axioms;  its  rules 
are  (D  e)  and  (D  i)  given  above. 

Here  are  some  examples  of  deductions  in  NA(d),  given  in  table  form: 

aThe  name  NA(D)  means  the  implication  fragment  of  NA.  Here  the  *N*  stands  for  “natural 
deduction”,  while  “A”  stands  for  “absolute”,  a  term  used  by  Curry  [Cur63]  to  stand  for  constructive 
logic  without  negation.  (Curry,  who  was  using  *N”  for  negation,  called  the  system  TA,  but  here 
this  would  be  confused  with  “type  assignment”.  The  letter  “N”  was  used  in  this  way  by  Gentzen 
[Gen34].) 
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Example  3.1  HnA(:d)  Ad  A 
Proof. 


1.  A  Hyp 

2.  Ad  A  1  (De) 

Example  3.2  Ad  B  D  A 

Proof. 

1.  A  Hyp 

2.  BDA  1  (Di) 

3.  Ad  B  D  A  2  (3  i) 

Example  3.3  HNA(3)  (A  D  B  D  C)  D  (A  D  B)  D  A  D  C 
Proof. 

1.  AD  B  DC  Hyp 

2.  AD  B  Hyp 

3.  A  Hyp 

4.  BDC  1,3  (De) 

5.  B  2,3  (De) 

6.  C  4,5  (De) 

7.  ADC  6  (Di) 

8 .  {AD  B)D  AD  C  7  (D  i) 

9.  (A  D  B  D  C)  D  (A  D  B)  D  A  D  C  8  (D  i) 

Example  3.4  AD  B,  B  D  C  WnA(3)  A  D  C 
Proof. 

1.  A  D  B  Hyp 

2.  B  D  C  Hyp 

3.  A  Hyp 

4.  B  1,3  (De) 

5.  C  2,4  (De) 

6 .  AD  C  5  (Di) 


1 


1 

1 


1 

2 

3 

1.3 
2,  3 

1.2.3 
1,2 

1 


1 

2 

3 

1.3 

1.2.3 
1,2 
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In  tree  form,  the  examples  are  as  follows: 
Example  3.1' 

1 


Example  3.21 


Example  3.3' 


ad  a 


Oi-1) 


1 

[A] 


B  D  A 


(Di-v) 


AdBdA 


1 

[AD  B  DC] 


3 

[A] 


BdC 


(D  e) 


2 

[ADB] 


adc 


(AD  B)d  AdC 


O  i  -  3) 

(D  i  -  2) 


3 

[A] 


(=>  e) 

’  (De) 


(ad  b  dC)d  (ad  b)d  Ad  c 


(Di-l) 


Example  3.4' 


Hyp 

BdC 


Hyp  1 

Ad  B  [A] 


B 


C 

AdC 


(=>  i  ~  1) 


O  e) 

(3e) 
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3.2  Formulas- as-types 

If  Definition  3.1  is  compared  with  the  remarks  immediately  before  Definition  1.3 
(in  Section  1.2),  it  will  be  observed  that  the  D-formulas  are  isomorphic  to  the 
type  symbols  used  in  defining  the  basic  typed  A-terms;  each  atomic  formula  2£ 
corresponds  to  an  atomic  type  and  if  A  and  B  correspond  to  a  and  (3  respectively, 
then  AD  B  corresponds  to  a  -*•  /3.  If  Definition  3.2  is  compared  with  Definition  2.3, 
it  should  be  clear  that  deductions  in  NA(d)  are  isomorphic  to  deductions  in  TA.  Now 
by  the  subject-construction  theorem,  the  terms  in  deductions  in  TA  are  isomorphic 
to  the  deductions.  Hence,  we  can  think  of  TA  as  a  calculus  of  deductions  of  NA(d), 
where  the  types  represent  the  formulas  and  the  terms  represent  the  deductions.  If  we 
make  use  of  Definition  2.3,  we  can  use  basic  typed  A  -terms  to  represent  deductions 
in  NA(d). 

This  correspondence  between  typed  A- calculus  and  propositional  lope  was  first 
noticed  by  Curry  in  [CF58]  Section  9E,  and  was  later  extended  independently  by 
a  number  of  people,  including  W.  A.  Howard  [How80].  (For  more  references,  see 
Hindley  &  Seldin  [HS86]  Discussion  14.46.)  The  correspondence  is  usually  called 
formulas- as-types  isomorphism  or  the  Curry-Howard  isomorphism. 

As  we  noted  after  Definition  2.3,  a  /3-reduction  step  for  deductions  in  TA  is 
similar  to  the  D-reduction  step  of  Prawitz  [Pra65].  In  fact,  under  the  formulas- as- 
types  isomorphism,  the  two  types  of  reduction  steps  correspond  exactly,  the  proof  of 
Theorem  2.2  (i.e.,  the  proof  of  Theorem  1.2)  together  with  the  isomorphism  proves 
Prawitz’s  result  for  NA(d),  namely  that  every  deduction  can  be  reduced  to  a  normal 
form.  Here,  a  normal  form  means  that  nowhere  in  the  deduction  is  the  conclusion 
of  an  inference  by  (D  i)  the  major  (left)  premise  for  an  inference  by  (D  e). 

This  isomorphism  can  also  be  used  to  show  that  certain  formulas  are  not  provable 
in  NA(d).  Let  us  consider  as  an  example  the  formula  known  as  Peirce’s  law. 

((A  D  B)D  A)D  A. 

It  is  not  hard  to  see  that  this  formula  is  classically  true,  for  it  is  only  necessary  to 
consider  what  assignment  of  truth  values  could  make  it  false.  This  would  require  an 
assignment  that  makes  A  false  and  (AD  B)D  A  true.  Now  if  A  is  false  and  (A  D  B) 
D  A  is  true,  then  Ad  B  must  also  be  false,  but  this  is  impossible  if  A  is  false.  Thus, 
Perice’s  law  is  always  assigned  the  value  true  by  a  truth  table.  Nevertheless,  it  is 
not  constructively  valid. 

Theorem  3.1  The  formula  scheme  ((A  D  B)  D  A)  D  A  is  not  provable  in  NA(D). 

Proof  If  this  formula  were  provable,  it  would  be  the  conclusion  of  a  normal  de¬ 
duction  in  which  every  assumption  is  discharged.  By  the  formulas-as-types  isomor- 
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phism,  it  would  follow  that  for  any  two  types  a  and  (3 ,  there  is  a  closed  term  M  in 
normal  form  such  that 

Hta  M  :  ((a  -*•  P)  -*■  a)  -*•  a. 

It  follows  that  M  :  ((a  — ►  /3)  -*  a)  -» a  is  the  conclusion  of  a  deduction  V  in 
normal  form.  By  the  subject-construction  theorem,  M  must  have  the  form  A x.N 
for  some  term  N  for  which  FV(iV)  C  {z},  and  V  must  have  the  form 


1 

[x  :  (a  -*•  /3)  -*•  a] 

Z>i 

N  :  a 

-  (-i-1) 

A  x.N  :  ((a  -4J3)->a)-+a. 

Since  it  is  sufficient  to  prove  that  there  exist  types  a  and  (3  for  which  this  is  im¬ 
possible,  there  is  no  loss  of  generality  in  assuming  that  a  is  atomic,  and  thus  that 
there  is  no  inference  by  (  -» i)  in  the  left  branch  of  V\.  Since  the  only  undischarged 
assumption  in  T>\  is  x  :  (a  -+  (3)  — ►  a,  it  follows  that  this  assumption  occurs  at  the 
top  of  the  left  branch  of  V\.  Hence,  V\  has  the  following  form,  where  N  is  xP : 


x  :  (a  -*■  (3)  — *  a 
V2 

i :  (a  — » /3)  — *  a  P  :  a  —* 


xP  :  a 


(-e) 


Note  that  FV(P)  C  {z}.  Now  consider  the  structure  of  V2:  if  the  left  branch 
had  no  inference  by  (  — ►  i),  then  the  left  branch  would  begin  with  the  assumption 
x  :  (a  — ►  j3)  — ►  a  and  would  end  with  P  :  a  — ►  /?,  which  is  impossible  since  a  is 
assumed  to  be  atomic.  It  follows  that  V2  has  the  following  form,  where  P  is  A y.Q: 

2 

z  :  (a  -*■  0)  ->  a,  [y  :  a] 

V3 

Q  :  P 

-  ( -*■  i  -  2) 

A  y.Q  :  a  -+  (3 
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Hence,  t>z  is  a  normal  deduction  of 

z:(a->  f3)-+a,  y:a  (-Ta  Q  :  P, 

where  F V(Q)  C  {x,y}.  Since  we  can  assume  without  loss  of  generality  that  /? 
well  as  a  is  atomic,  this  is  clearly  impossible.  ■ 

Corollary  3.1.1  If  A  and  B  are  atomic  formulas,  then 

bW(D)  ((*  ?B)dA)3A. 


3.3  Adding  A,V,  and  ±  (for  -i) 

Let  us  now  turn  to  the  full  propositional  calculus.  In  addition  to  D  (implication), 
we  need  A  (and),  V  (or),  and  -»  (not).  In  constructive  logic,  -i  is  usually  defined  in 
terms  of  X  (absurdity),  and  we  shall  follow  this  practice  here. 

Definition  3.3  (Propositional  formulas)  Assume  that,  as  in  Definition  3.1,  we 

have  finitely  or  countably  many  given  atomic  formulas  Ei,...  ,En, _ Propositional 

formulas  are  then  defined  as  follows: 

(a)  a  given  atomic  formula  Ei  is  an  (atomic)  formula; 

(b)  X  is  an  (atomic)  formula;  and 

(c)  if  A  and  B  are  formulas,  then  so  are  (A  D  B ),  (A  A  B ),  and  (A  V  B). 

Notation  Unnecessary  parentheses  will  be  omitted.  The  infixes  A  and  V  will  have 
smaller  scope  than  D.  The  abbreviation 

-i  A 


will  be  used  for 


A  DX  . 


The  elimination  and  introduction  rules  postulated  for  A  and  V  are  as  follows: 


(Ae)  AAB  A  A  B 

A,  B 


(Ai)  A  B 

AAB 


(Ve)  [A]  [B] 

AMB  C  C 

Q 


(Vi)  A  B 

AV  B,  AV  B 

Of  these  rules,  (Ve)  will  probably  look  least  familiar.  It  is  easy  to  understand  if  we 
think  of  proof  by  cases:  if  case  A  or  case  B  holds,  and  if  C  can  be  proved  in  each 
case,  then  C  must  be  provable. 
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The  elimination  and  introduction  rules  for  negation,  which  are  derived  from 
those  for  implication,  are  as  follows: 


(-ie)  ->A  A  (ii)  [A] 

I  -L 

i  A 

There  is  one  additional  rule  used  with  negation:  it  is  as  follows: 


It  expresses  the  fact  that  anything  follows  from  a  contradiction,  a  fact  accepted  by 
most  constructivists.  (For  those  constructivists  who  do  not  accept  this  principle, 
there  is  the  minimal  calculus ,  which  is  the  system  NJ  without  this  rule.  We  will  not 
bother  with  the  minimal  calculus  here.) 

This  leads  us  to  the  following  definition: 

Definition  3.4  (The  formal  calculus  NJ)  The  formal  calculus  NJ  is  a  natural 
deduction  system.  Its  formulas  are  the  propositional  formulas  of  Definition  3.3.  It 
has  no  axioms.  Its  rules  are  (j  e),  (D  i),  (Ae),  (Ai),  (Ve),  (Vi),  and  (J.  j). 

Remark  Many  people  may  be  surprised  that  rule  (~>i)  is  constructively  valid,  since 
it  is  often  said  that  constructivists  object  to  proof  by  contradiction.  In  fact,  the 
form  of  proof  by  contradiction  to  which  constructivists  object  is  not  (— «i),  but  rather 
the  following  rule: 


(J-  d)  b*] 

± 


A 


This  rule  is  not  valid  in  NJ;  in  fact,  if  it  is  added  to  NJ,  the  result  is  classical  logic. 
It  turns  out  that  it  is  possible  to  modify  Definition  3.4  somewhat: 
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Lemma  3.1  If  rule  ( J.  j)  is  postulated  in  the  form 

where  E  is  one  of  the  given  atomic  formulas,  then  the  rule  holds  in  its  full  generality 
as  a  derived  rule. 

Proof  Since  the  case  of  the  rule  in  which  A  is  ±  is  trivial,  it  is  sufficient  to  prove  the 
rule  for  compound  formulas  A  on  the  assumption  that  it  holds  for  shorter  formulas. 
The  three  cases  (note  that  -i  is  taken  care  of  by  the  case  for  D)  are  taken  care  of 
by  the  following  three  deductions: 


i. 

B 

AD  B 


GU) 

(Di-v) 


AAB 


(J-J) 

(Ai) 


1 

A 

AwB 


(J-J) 

(Vi) 
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3.4  Extension  of  formulas-as- types 

In  order  to  extend  the  formulas-as-types  isomorphism  of  Section  2  to  NJ,  it  is  most 
natural  to  compare  A,  V,  and  1  to  x,  +,  and  void.  This  leads  us  to  consider  the 
system  extended  TA  of  the  remark  at  the  end  of  Section  2.1.  But  this  system  does 
not  correspond  exactly  to  NJ.  Instead  it  corresponds  to  a  system  obtained  from  NJ 
by  replacing  the  rules  (Ae),  (Ai),  (Ve),  and  (Vi)  by  the  following  axiom  schemes: 

(1)  AdBdAaB] 

(2)  AaBdA; 

(3)  AaBdB] 

(4)  AD  AW  B; 

(5)  B  D  A  V  B; 

and 

(6)  AW  BD(ADC)D{BDC)DC. 

It  should  be  clear  that,  in  the  presence  of  the  rules  (D  e)  and  (D  i),  these  six  axiom 
schemes  are  equivalent  to  the  indicated  rules. 

Note  that  by  Lemma  3.1,  rule  (J_  j)  is  equivalent  to  the  scheme 

(7)  -LD  E, 

where  E  is  an  atomic  formula  distinct  from  J..  This  scheme  would  appear  not 
to  correspond  to  any  term  in  extended  TA,  since  such  a  term  would  have  to  be 
assigned  the  type  void  -♦  0  for  an  atomic  type  0.  If  there  is  some  object  M  in  the 
type  0,  then  we  can  apply  (  — ►  i)  with  vacuous  discharge  of  the  assumption  x  :  void 
to  obtain  the  conclusion  A x.M  :  void  — ►  0.  But  we  cannot  guarantee  that  there  is 
an  object  M  to  which  0  is  assigned  for  each  atomic  type  0\  indeed,  if  there  were 
such  a  term  for  each  atomic  type,  this  would  correspond  to  the  provability  of  each 
atomic  formula.  So  instead,  we  will  add  to  extended  TA  a  constant  Lg  for  each 
atomic  type  0  distinct  from  void,  and  we  will  assume  the  axiom 

(1  j$)  _L$:  void  -*  0. 

Since  these  constants  Lg  do  not  occur  at  the  beginning  of  any  redexes,  they  do 
not  affect  the  normalization  result.  Hence,  these  axioms  cannot  be  used  to  produce 
closed  terms  in  any  of  the  0.  Furthermore,  by  the  proof  of  Lemma  3.1,  it  should  be 
clear  that  for  each  type  a  there  is  a  closed  term  ±0  of  type  void  — ►  a. 

It  is  not  difficult  to  show  that  Theorem  3.1  and  Corollary  3.1.1  apply  to  NJ.  The 
normalization  theorem  for  extended  TA  plus  the  constants  ±0  and  axioms  (X  j0) 
can  be  used  to  prove  that  NJ  is,  indeed,  different  from  classical  logic  in  one  of  its 
most  important  aspects. 


Theorem  3.2  For  at  least  one  formula  A 

Vnj  A  V  -i  A. 

Proof  Let  A  be  an  atomic  formula.  Let  V  be  a  proof  (i.e.,  a  deduction  with 
no  undischarged  assumptions)  whose  conclusion  is  A  V  ->A.  An  instance  of  axiom 
scheme  (6)  is 

A  V  -iA  D  (A  D  A)  D  (iA  D  A)  D  A. 

Using  this,  V,  Example  3.1,  and  two  inferences  by  (D  e),  we  get  a  proof  of 

(-.A  D  A)  D  A, 

which  is,  when  abbreviations  are  removed, 

((A  DJ.)  D  A)  D  A. 

Since  both  A  and  J.  are  atomic  formulas,  this  is  unprovable  by  Corollary  3.1. 1.3* 


*The  redaction  and  normalisation  procedure  used  here  for  NJ,  which  is  based  on  extended 
TA  plus  (X  js),  is  not  the  usual  normalisation  procedure  for  NJ  in  proof  theory.  For  the  usual 
procedure,  see  Prawits  [Pra65]  Chapter  IV. 
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3.5  First  order  quantifiers 

It  is  standard  in  logic  to  proceed  from  propositional  logic  to  first  order  logic.  In 
first  order  logic,  universal  and  existential  quantifiers  are  present,  and  are  assumed 
to  operate  over  one  fundamental  domain  of  individuals;  it  is  not  possible  to  quantify 
over  sets  of  individuals  or  functions  whose  arguments  and  values  are  individuals. 

To  take  an  example  from  elementary  arithmetic,  suppose  that  the  fundamental 
domain  is  the  set  of  natural  numbers,  and  suppose  that  our  language  has  terms 
representing  the  natural  numbers  and  also  addition  and  multiplication  (which,  for 
now,  will  be  denoted  by  their  usual  notation  in  algebra).  Suppose  also  that  formulas 
include  equations  between  expressions  denoting  numbers.  Then  a  formula  stating 
that  x  is  an  even  number  is 

(3y)(x  =  2  y), 

where  2  is  the  term  representing  the  number  2.  A  formula  stating  that  x  <  y  is 

(3u)(-itt  =  0  A  y  =  x  +  u), 

where  0  represents  the  number  0.  (Recall  that  in  the  set  of  natural  numbers,  there 
are  no  negative  numbers,  so  that  if  a  number  is  different  from  0  it  is  positive.)  A 
formula  which  says  that  x  divides  evenly  into  y  is 

(3tt)(-iu  =  0  A  y  =  xu). 

Finally,  a  formula  which  says  that  0  is  an  identity  for  addition  is 

(Vx)(x  =  x  +  0). 

In  giving  these  examples,  I  assumed  that  there  is  a  term  representing  each  natural 
number.  In  fact,  such  terms  are  easy  to  construct:  begin  with  an  individual  constant 
0  and  a  function  symbol  <r  with  one  argument.  Then  the  term  n  representing  the 
natural  number  n  is 

<r(<r(...(a  0)...)), 
where  there  are  n  occurrences  of  <r. 

If  we  analyze  the  structure  of  the  formulas  in  these  examples,  we  see  that  we 
have  an  individual  constant  0,  individual  variables  x,  y,  u,  . . . ,  function  symbols  a 
of  one  argument  and  +  and  *  (multiplication)  of  two  arguments,  a  predicate  symbol 
—  of  two  arguments,  the  logical  connectives  of  propositional  logic,  and  the  universal 
and  existential  quantifiers.  This  leads  us  to  the  following  formal  definition: 
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Definition  3.5  (First  order  term  and  formula)  Assume  that  we  have  count¬ 
ably  many  individual  variables  x,  y,  z,  xi,  etc.,  finitely  or  countably  many  individ¬ 
ual  constants  e\,  e^,...,  finitely  or  countably  many  function  symbols  and 

finitely  or  countably  many  predicate  symbols  <pi,  tpi,  . . . ,  where  each  function  sym¬ 
bol  and  predicate  symbol  has  associated  with  it  a  natural  number  called  its  degree , 
which  represents  its  number  of  arguments.  Then  terms  are  defined  as  follows: 

(a)  individual  constants  and  individual  variables  are  terms;  and 

(b)  if  u  is  a  function  symbol  of  degree  m,  and  if  ti,...,tm  are  terms,  then 
w(fi, . . . , tm)  is  a  term. 

First  order  formulas  are  now  defined  as  follows: 

(c)  if  v?  is  a  predicate  symbol  of  degree  m  and  if  t\,...,tm  are  terms,  then 
<p(ti,. . . ,  tm)  is  an  atomic  formula; 

(d)  i.  is  an  atomic  formula; 

(e)  if  A  and  B  are  formulas,  then  so  are  (A  A  B),  ( A  V  B ),  and  ( A  D  B );  and 

(f)  if  A  is  a  formula  and  x  an  individual  variable,  then  (Vx)A  and  (3x)A  are  formu¬ 
las.  Parentheses  will  be  omitted  as  usual.  An  occurrence  of  an  individual  variable 
is  said  to  be  bound  if  it  is  within  the  scope  of  a  universal  or  existential  quantifier; 
otherwise  it  is  free. 

Notes  (1)  Both  function  symbols  and  predicate  symbols  may  have  degree  0.  A 
function  symbol  of  degree  0  is  just  an  individual  constant;  individual  constants  are 
listed  separately  because  it  is  customary  to  do  so.  A  predicate  symbol  of  degree  0 
is  an  atomic  formula.  One  example  of  such  an  atomic  formula  is  ±. 

(2)  Here  1  is,  in  effect,  taken  to  be  a  predicate  symbol  of  degree  0.  But  this  is 
not  necessary  in  all  first  order  systems.  For  example,  in  first  order  arithmetic,  _L  is 
often  defined  to  be  the  atomic  formula  0  =  crO,  which  is  0  =  1.  What  is  important 
is  that  ±  be  an  atomic  formula. 

Definition  3.0  (The  formal  calculus  NJ*)  The  formal  calculus  NJ*  is  a  natu¬ 
ral  deduction  system.  Its  formulas  are  the  first  order  formulas  of  Definition  3.5.  It 
has  no  axioms.  Its  rules  axe  the  rules  of  NJ  and,  in  addition,  the  following: 


(Ve)  (Va)A(x)  Condition :  t  is  a  term. 

A(t) 
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(Vi) 


Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 

Condition:  y 

does  not  occur  free  in  C 
or  in  any  undischarged 
assumption. 

Condition:  t  is  a  term. 

(3x)A(x) 

The  condition  on  the  variable  x  in  rule  (Vi)  guarantees  that  no  assumption  is  made 
about  x  above  the  inference.  Rule  (3e)  formalizes  the  argument:  there  is  an  x 
such  that  A(x);  let  y  be  a  thing  such  that  A(y);  conclusion  C  (where  y  does  not 
occur  free  in  C).  See  the  discussion  after  Definition  2.17.  The  condition  on  y  is 
obviously  necessary  for  this  rule.  Variables  such  as  x  in  (Vi)  and  y  in  (3e)  are  called 
eigenvariables  or  characteristic  variables. 

At  first  glance  it  might  appear  that  the  natural  way  to  extend  the  formulas-as- 
types  isomorphism  to  NJ*  is  to  use  the  system  TAP.  But  this  will  not  work.  For 
in  TAP,  only  types  (corresponding  to  formulas)  can  be  substituted  for  the  (type) 
variables,  whereas  in  NJ*  we  must  be  able  to  substitute  terms  for  the  quantified 
variables.  Instead,  we  will  need  to  take  a  type  to  represent  the  fundamental  domain 
of  quantification,  and  introduce  quantification  over  that  type.  We  will  also  need  to 
modify  the  definition  of  type  to  correspond  to  Definition  3.5. 

Thus,  suppose  one  of  the  atomic  types  is  J,  the  type  of  individuals.  For  each 
atomic  constant  e,  we  will  want  to  assume 

e :  J. 

For  each  function  symbol  us  of  degree  m,  we  will  want  to  assume 

w  J  — ►  J  — ►  ...  — ►  J, 

where  there  axe  m  +  1  occurrences  of  J.  Then  it  will  follow  for  each  closed  term  t 
that 

t:  J. 


A(x) 

(Vn)A(x) 

(3e)  [A(y)] 

(3x)A(x)  C 

~~~~  c 

(3i)  A(t) 
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Furthermore,  if  t  is  a  term  with  free  variables  xi,..., xn ,  then  it  will  follow  that 

Xi  :  J,...,xn  :  J  h  t :  J. 

Next,  we  need  to  generalize  the  definition  of  atomic  type:  for  each  predicate  symbol 
tp  of  degree  m,  and  for  any  terms  we  need  that  is  a  type. 

We  also  assume  void  is  an  atomic  type,  and  form  as  usual  types  a  x  /?,  a  +  /?,  and 
a  —►  (3.  Also,  we  need  that  if  x  is  a  variable  and  a  is  a  type,  then  (Vx  :  J)a  and 
(3x  :  J)a  are  types. 

L  remains  to  specify  the  terms  in  (Vx  :  J)a  and  (3x  :  J)a.  For  the  type  (Vx  :  J)a, 
we  want  a  function  which,  when  applied  to  any  object  t  of  type  J,  produces  a  value 
in  [t/x]a.  Note  that  as  in  TAG  the  type  of  this  function  depends  on  its  argument 
and  not  just  on  the  type  of  its  argument.  For  (3x  :  J)a,  we  want  to  have  pairs 
(t,M)  such  that  t  has  type  J  and  M  has  type  [t/x]a.  These  are  just  the  kind  of 
pairs  we  were  unable  to  represent  in  the  type  structures  of  Section  1.1.  We  shall 
have  more  to  say  about  this  later. 

The  above  conventions,  although  stated  as  in  previous  definitions,  can  also  be 
obtained  by  using  the  machinery  of  TA  or  TAG.  What  is  necessary  is  some  type 
to  which  the  above  types  belong,  such  as  the  type  U  of  Section  2.8.  Since  the 
above  types  represent  propositions,  this  new  type  will  be  called  Prop.  We  have  the 
following  formal  definition: 

Definition  3.7  (TAJ  types)  The  types  of  the  system  TAJ  are  defined  as  follows: 

(a)  J  and  Prop  are  (atomic)  types;  and 

(b)  if  a  and  (3  are  types,  then  so  is  (a  —►  (3).  The  special  types  J"  and  Prop"  for  n 
>  0  are  defined  as  follows  (by  induction  on  »): 

J°  =  J,  Jn+1  =  J  -  J"; 

Prop0  =  Prop,  Propn+1  =  J  -+  Prop”. 

Definition  3.8  (TAJ  terms)  The  terms  of  TAJ  are  defined  from  countably  many 
term  variables  Xj,X2,. . . ,xn,. . . ,  and  the  term  constants  ei,e2,..., 

^1,92* •••»  void,  D,  Dj,  fst,  snd,  ini,  inr,  case,  projj,  and,  J.,  as  follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  AT,  N ,  A,  and  B  are  terms,  so  are  (AflV),( A  x  B),  (A  +  5),  and  (A  -*■  5);  and 

(c)  if  x  is  a  term  variable  and  A  and  M  are  terms,  then  (Ax:A .  M),  (Ax:J  .  M), 
(Vx  :  J)A,  and  (3x  :  J)A  are  terms.  With  each  constant  and  <fii  is  associated  a 
natural  number  dg(wt)  or  dg( <£,•),  called  the  degree  of  the  constant  in  question. 
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Definition  3.9  (Reduction  for  TAJ  terms)  .Reduction for  TAJ  terms  is  denned 
by  the  following  table  of  redexes  and  contracta: 

Redex  Contractual 


09) 

(Ax  :  A.M)N 

[N/x]M 

(fst) 

1stAB(DABMN) 

M 

(snd) 

sndAB(DABMN) 

N 

(caset) 

castAB(\n\ABM)CFG 

FM 

(case2) 

csseAB(\nrABM)CFG 

GM 

(Pr°j) 

projjACZ(DjAMN) 

ZMN 

Definition  3.10  (The  type  assignment  system  TAJ)  The  system  TAJ  is  a 
natural  deduction  system.  Its  formulas  are  all  expressions  of  the  form 

M  :  A, 

where  M  is  a  term  and  A  is  either  a  term  or  a  type.  The  axioms  are  as  follows: 

(ei)  e«  :  J, 

(u>,)  ua  :  Jm,  m  =  dg(wi), 

(<Pi)  <Pi  ■  Prop”1,  m  =  dg (ifii), 

for  each  i  and 
(void)  void  :  Prop 

The  rules  of  TAJ  come  in  two  groups: 

Rules  of  type  formation: 


(x  Formation) 

A :  Prop 

B  :  Prop 

Ax  B  :  Prop 

(+  Formation) 

A  :  Prop 

B  :  Prop 

A  +  B  :  Prop 

(— ►  Formation) 

A  :  Prop 

B  :  Prop 

A-*  B  :  Prop 
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(VJ  Formation)  [x  :  J] 

A  :  Prop 

(Vx  :  J)j4  :  Prop 

(3JFormation)  [x  :  J] 

A  :  Prop 

(3x  :  J)A  :  Prop 

Rules  of  type  assignment: 


Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 


Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 


(xe)i  M  :  Ax  B  A:  Prop  B  :  Prop 

fstABM :  A 

(x  e)2  M  :  Ax  B  A:  Prop  B  :  Prop 

sndASAT  :  B 

(x  i)  M  :  A  N  :  B  A:  Prop  B  :  Prop 

DABMN  :  Ax  B 


(+  e) 

M  :  A  +  B  X x:A  .N:C 


[y  :  B] 

P  :C  A:  Prop  B  :  Prop  C  :  Prop 


case ABMC(Xx: A  .  N)(Xy:B  .P):C 


Condition:  x  and  y  do  not 
occur  free  in  M,A,B,C,  or 
in  any  undischarged  assump¬ 
tion;  x  does  not  occur  free  in 
P,  and  y  does  not  occur  free 
in  N . 
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(+i)x 

M  :  A  A:  Prop  B  :  Prop 

\n\ABM  :  A  +  B 

(+  O2 

N  :  B  A:  Prop  B  :  Prop 

\nrABN  :  A  +  B 

(-e) 

M:A->B  N  :  A 

MN:B 

Condition:  A  and  B 
are  both  terms  or  both 
types. 

(-i)i 

[x  :  A) 

M  :  B  A:  Prop 

- - — * 

Ax:A  .  M  :  A— >  B  * 

Condition:  x  does  not 
occur  free  in  A,B,  or 
in  any  undischarged  as¬ 
sumption,  and^  A  is  a 
term. 

(“>  1)2 

[x  :  A] 

M  :  B 

A x:A  .  M  :  A-+  B 

Condition:  x  does  not 
occur  free  in  A,B,  or 
in  any  undischarged  as¬ 
sumption,  and  A  and  B 
are  types. 

(-L  j  <Pi) 

Foreacht, 

Nx  :  J  N2  :  J  •  •  •  :  J 

Condition:  m  =  dg(  <£>,). 

i.  <fiiNxN2  :  void  -*•  (piNiNi  ...Nm 

(Vie) 

M  :  (Vx  :  J)A  -/V  :  J 

MiV  :  [JV/x].4 

(VJi) 

[x  :  J] 

M  :A 

Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 

Ax:J  .  M  :  (Vx  :  J)A 
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(3Je) 


[x  :  J][y  :  A]  [x  :  J] 

M  :  (3x  :  J)A  N  :C  A:  Prop  C  :  Prop 

projj(Ax:J  .  A)C(Ax:J  .  Xy:A  .  N)M  :  C 

Condition:  x  and  y  do  not 
occur  free  in  C,  M,  or 
in  any  undischarged  assump¬ 
tions,  and  y  does  not  occur 
free  in  A. 

Condition:  x  does  not 
occur  free  in  M  or  N 
or  in  any  undischarged 
assumption. 

Condition:  N  is  ob¬ 
tained  from 

M  by  changes  of  bound 
variables. 

Condition:  B  is  ob¬ 
tained  from 

A  by  changes  of  bound 
variables. 

Notes  (1)  As  we  have  seen,  we  have  in  TAJ  functions  the  type  of  whose  values 
depend  on  the  arguments  as  well  as  the  types  ot  the  arguments,  and  we  also  have 
pairs  in  which  the  type  of  the  second  element  depends  on  the  first  element  as  well 
as  on  its  type.  This  means  that  the  type  structures  of  Section  1.1  axe  not  models 
of  TAJ  (just  as  they  are  not  models  of  TAP).  It  is  possible  to  construct  a  kind  of 
semantics  for  TAJ  as  follows:  J  is  interpreted  as  the  set  of  all  closed  terms  of  NJ*; 
Prop  is  interpreted  as  the  set  of  closed' formulas  of  NJ*;  the  function  types  built 
up  from  J  and  Prop  using  — ►  are  interpreted  using  terms  and  formulas  in  which 
free  variables  occur;  and  terms  assigned  as  types  terms  in  Prop  are. interpreted  as 
deductions  or,  if  they  are  closed,  as  proofs.  Any  other  model  for  TAJ  is  likely  to  be 


(3Ji)  [x  :  J] 

M  :  J  N  :  [M/x]A  A  :  Prop 

Dj(Ax:J  .  A)MN  :  (3x  :  J )A 

(s'J  M :  A 

N  :  A 

(='")  M:A 

M  :  B 
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too  complicated  to  provide  most  people  with  any  insight. 

(2)  The  presence  of  Ax:J  .  A  in  the  conclusion  of  rules  (3Je)  and  (3Ji)  may  seem 
a  bit  strange.  It  is  there  merely  to  supply  A  as  an  argument,  and  therefore  it  might 
seem  more  appropriate  to  use  simply  A.  But  if  we  did  that,  then  x  would  occur 
free  in  the  conclusion  whenever  it  occurs  free  in  A,  which  is  contrary  to  the  spirit 
of  the  system.  The  only  obvious  alternative  is  to  postulate  Dj,x  and  Projj,x  for 
each  formula  A,  but  in  this  case  whether  or  not  a  term  Dj,.*  is  defined  depends  on 
whether  or  not  there  is  a  deduction  whose  conclusion  is  A  :  Prop,  and  this  is  also 
contrary  to  the  spirit  of  the  system.  The  (proj)  contraction  of  Definition  3.9  shows 
that  it  makes  no  difference  whether  A  or  Ax: J  .  A  is  used  as  an  argument  here,  since 
it  disappears  in  the  contraction. 

The  system  TAJ  contains  the  system  NJ*  in  an  important  sense,  for  we  can 
easily  write  A,  V,  D,  and  X  instead  of  x,  -f,  — and  void  (provided,  of  course, 
that  the  constant  X  of  TAJ  is  renamed).  The  system  NJ*  has  been  given  here  as  a 
separate  system  because  it  is  traditional  to  do  so.  However,  from  here  on,  systems 
of  logic  will  only  be  presented  with  the  systems  of  type  assignment  with  which  they 
are  associated  by  the  formulas- as- typ es  isomorphism. 
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3.6  The  full  theory  of  types 

An  examination  of  TAJ  raises  a  question:  why  quantify  only  over  the  type  J?  Why 
not  quantify  over  other  types,  such  as  Prop?  In  fact,  why  not  quantify  over  all  of  the 
TAJ  types  of  Definition  3.7?  There  is,  in  fact,  no  reason  at  all  for  not  quantifying 
over  all  TAJ  types,  and  a  logic  based  on  this  idea  was  proposed  as  long  ago  as  1940 
by  Church  [Chu40].  A  version  of  this  system  will  now  be  presented  as  a  system  of 
type  assignment. 

Clearly  the  main  difference  between  TAJ  and  the  system  that  will  be  defined 
here  is  that  instead  of  only  (Vx  :  J)  and  (3x  :  J),  we  will  now  have  (Vx  :  a)  and 
(3x  :  a)  for  every  TAJ  type  a.  It  should  be  clear  how  to  obtain  the  more  general 
quantifier  rules  required  here  from  those  of  TAJ. 

However,  there  is  another  important  difference:  one  of  the  TAJ  types  is  Prop, 
and  since  we  can  quantify  over  Prop,  we  can  interpret  TAP  in  this  new  system. 
This  means  that  we  can  use  the  definitions  of  Section  2.4  to  reduce  the  number  of 
primitives. 

The  new  system  will  be  called  TAT. 

The  types  of  TAT  will  be  those  of  TAJ  (Definition  3.7). 

Definition  3.11  (TAT  terms)  The  terms  of  TAT  are  defined  from  countably 
many  term  varialbes  xj ,  Xg , . . . ,  xn, . . . ,  and  the  term  constants  e{,et,...,  wi,w2, . . ., 
. . . ,  as  follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  M  and  TV,  are  terms,  so  are  ( MN )  and  (M  — *•  TV);  and 

(c)  if  x  is  a  term  variable,  A  and  M  are  terms,  and  a  is  a  type,  then  (Ax: A  .  M), 
(Ax:a  .  Af),  and  (Vx  :  A)  are  terms.  With  each  constant  u>;  and  <pi  is  associated  a 
natural  number  dg(w<)  or  dg( <£,•),  called  the  degree  of  the  constant  in  question. 

Reduction  for  TAT  terms  is  defined  using  the  /3-redexes  of  Definition  3.9. 

Definition  3.12  (The  type  assignment  system  TAT)  The  system  TAT  is  a 
natural  deduction  system.  Its  formulas  axe  all  expressions  of  the  form 

M  :  A, 

where  M  is  a  term  and  A  is  either  a  term  or  a  type.  The  axioms  are  (et),  (u >i),  and 
(<Pi)  from  Definition  3.10  for  each  i.  The  rules  of  type  formation  are  (  ->  Formation) 
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of  Definition  3.10  and 


(Va  Formation)  [x  :  a] 

A :  Prop 


(Vz  :  a) A  :  Prop 


Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged 

assumption,  and  a  is  a 
type. 


The  rules  of  type  assignment  axe  (— ►  e),  (— ►  i),  (='a),  and  (=a)  of  Definition  3.10 
and,  for  each  type  a, 

(Vote)  M  :  (Vz  :  a)A  N  :  a 

MN  :  [n/x]A 

(Vai)  [z  :  a]  Condition:  x  does  not 

M  occur  free  in  any  undis¬ 

charged  assumption. 

Az:a  .  M  :  (Vz  :  a)A 


Remark  As  in  TAJ,  the  type  structures  of  Section  1.1  are  not  models  of  TAT. 
There  are  models  of  the  original  (classical)  version  of  Church’s  type  theory  formed 
by  interpreting  J  as  any  set,  Prop  as  the  set  of  two  truth  values,  true  and  false, 
and  interpreting  compound  types  a  — ►  /?  as  the  set  of  all  functions  from  the  set 
corresponding  to  a  to  the  set  corresponding  to  /?.  But  these  models  are  not  models 
of  TAT  because  they  do  not  model  the  deductions.  Furthermore,  since  TAP  can  be 
interpreted  in  TAT,  it  follows  that  TAT  has  no  set  theoretic  models.  It  is  probably 
best  to  adopt  the  procedure  we  used  for  TAJ,  and  interpret  Prop  as  the  set  of  closed 
formulas.  Because  we  now  have  quantifiers  over  all  types,  this  idea  is  hard  to  make 
precise,  and  so  is  unlikely  to  be  accepted  as  the  basis  for  any  kind  of  theory  of 
models.  Nevertheless,  the  idea  probably  gives  most  people  more  insight  into  TAT 
than  any  other  notion  of  semantics. 

Now  let  us  show  how  to  use  the  definitions  of  Section  2.4  to  define  the  other  terms 
and  operators  of  TAJ.  Some  changes  in  the  previous  definitions  will  be  necessary: 
wherever  we  previously  had  a  quantifier  (Va),  we  will  now  need  a  quantifier  (Vz  : 
Prop),  and  where  we  previously  used  the  abstraction  Aa,  we  will  now  need  Au  :  Prop. 
Furthermore,  the  existential  quantifier  will  need  somewhat  different  treatment,  since 
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we  now  expect  the  elements  assigned  an  existential  type  will  be  pairs.  In  addition, 
it  is  now  possible  to  quantify  over  the  parameters  that  stood  for  type  schemes  in 
TAP  and  now  stand  for  terms  of  type  Prop.  For  this  reason,  it  is  worth  stating 
these  definitions  again  for  this  system. 

Definition  3.13  (Cartesian  product  proposition)  The  product  type  operator 
and  its  associated  pairing  and  projection  operators  are  defined  as  follows: 

(a)  X  =  AicProp  .  AwProp  .  (Vtt> :  Prop)((u  —>  v  -*  w)  -*  w ); 

(b)  D  =  Au:Prop  .  AwrProp  .  Xx:u  .  Xy:v  .  Au>:Prop  .  Xr.u  — ►  v  — .  zxy\ 

(c)  fst  =  AtcProp  .  Av:Prop  .  Xx:Xuv .  xu(Xy.u  .  Xz:v  .  y);  and 

(d)  snd  =  AurProp  .  AvrProp  .  Ax:Xuv  .  xv(Xy.u  .  A z:v  .  z). 

We  use  A  X  B  as  an  abbreviation  for  XAB. 


It  is  not  at  all  difficult  to  prove  from  these  definitions  that  if  A  :  Prop  and  B  :  Prop 

DAB  :  A-+  B  -*  Ax  B, 


and 


fstA-B  :  A  x  B  — ►  A, 
sndAB  :  Ax  B  B. 


Furthermore,  it  is  easy  to  see  that  if  M  :  A  and  N  :  B,  then 


fstAB(DABMW)  =,  M 


and 

sndAB(DABMN)  =,  N. 

Definition  3.14  (Disjoint  union  type)  The  disjoint  union  operator  and  its  as¬ 
sociated  injection  and  case  operators  are  defined  as  follows: 

(a)  0  =  AtcProp  .  Av:Prop  .  (Vu; :  Prop)((u  -*  w)-*  (( v  -*■  w)  -*  w)); 

(b)  ini  =  Au:Prop  .  Aw:Prop  .  Xx:u  .  Xw. :  Prop  .  A f:u  -*■  w  .  A g:v  —>  w  .  fx ; 

(c)  inr  =  Au:Prop  .  Au:Prop  .  A y.v  .  Au;:Prop  .  A f:u  — *■  w  .  Xg:v  -*w.gy\  and 

(d)  case  =  Au:Prop  .  Au:Prop  .  Xz:Quv  .  Au?:Prop  .  A  f:u  — *■  w  .  A  y.v  -*  w  .  zwfg. 

We  use  A  +  B  as  an  abbreviation  for  QAB. 

It  is  easy  to  show  that  if  A  :  Prop  and  B  :  Prop,  then 

inlAB  :  A  -*■  A  +  B, 
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and 


\nr  AB :  B  — ►  A  +  B, 


cas tAB  :  A  +  B  -*  (Vtn  :  Prop)((A  -*  w) —*  (( B  -*  to)  -*■  to)). 

Furthermore,  it  is  easy  to  show  that  if  C  :  Prop,  M  :  A,  N  :  B ,  F  :  A  -*  C ,  and 
G  :  B  -*C,  then 

caseAB(\n\ABM)CFG  =.  FM 

and 

castAB(mrABN)CFG  =,  GN. 

Definition  3.15  (void  type)  void  =  (Vx  :  Prop)®. 

Definition  3.16  (Existential  quantifier)  If  a  is  a  type,  B  is  a  term,  and  if,  for 
a  variable  x  which  does  not  occur  free  in  a  but  may  occur  free  in  B,  we  have 
x  :  a  \ -  B  :  Prop,  then  the  existential  quantifier  over  a  and  its  associated  pairing 
and  projection  functions  are  defined  as  follows: 

(a)  (3®  :  a)B  =  (Vto  :  Prop)((V®  :  ot)(B  -*■  to)  — ►  to); 

(b)  DaJ3  =  A x:a  .  Xy.B  .  Aw  Prop  .  Ar.(Vx  :  a)(£  -*•  to)  .  zxy\  and 

(c)  proj aj3  =  AwProp  .  Ar.(Vx  :  a)(B  -*  w) .  Ay:(Vx  :  a)B  .  ywz. 

It  not  hard  to  show  that  rules  (BaFormation),  (3ae)  and  (3ai)  corresponding  to 
the  rules  for  3J  in  Definition  3.10  are  satisfied.  It  is  also  easy  to  show  that 

PT°}a,pC Z(Da'0M N)  =.  ZMN. 

Note  that  in  Definition  3.16,  there  is  no  way  to  avoid  the  use  of  the  parameters; 
for  types  are  completely  distinct  from  terms,  and  there  may  be  a  free  variable  in  B 
which  is  bound  in  the  definitions. 

Remark  It  is  worth  comparing  proj^  with  project^  of  Definition  2.17.  For  the 
same  reason  that  the  latter  could  not  be  made  a  true  projection  function,  the  former 
cannot  be  used  to  define  a  true  right  projection  for  use  with  rule  (3ae).  There  is 
no  problem  with  the  left  projection:  take  C  =  a  and  take  Z  =  Xx:a  .  Xy.B  .  x,  and 
observe  that  this  satisfies  the  condition  on  rule  (3ae),  which  becomes  in  this  case 
that  x  and  y  do  not  occur  free  in  C  or  in  Da<pMN  and  y  does  not  occur  free  in  B. 
On  the  other  hand,  for  the  right  projection,  we  need  to  take  Z  s  Xx:a  .  Xy.B  .  B, 
and  this  requires  C  =  B,  in  which  x  may  occur  free.  Bring  able  to  use  a  right 
projection  with  rule  (3ae)  would  correspond  to  allowing  an  inference  in  NJ*  from 
(3x)A(x)  to  for  some  term  and  making  inferences  like  this  work  for  natural 
deduction  formulations  of  first  order  or  higher  order  logic  is  notoriously  difficult. 
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Chapter  4 

THE  THEORY  OF 
CONSTRUCTIONS 


We  have  now  seen  quite  a  few  systems  of  type  assignment  to  A-terms.  As  we  said 
in  the  introduction,  these  systems  are  important  for  us  because  they  are  the  basis 
for  the  system  which  really  interests  us,  the  theory  of  constructions.  This  is  an 
extension  of  TAGU  and  TAT  introduced  by  Coquand  [Coq85]  and  studied  further 
in  [CH86],  [CH],  [Coq86a],  [Coq86b],  and  [Coq].  We  have  already  seen  that  TAT 
is  an  extension  of  TAP;  the  theory  of  constructions,  as  an  extension  of  TAT,  is 
also  an  extension  of  TAP.  It  is  also  an  extension  of  the  important  part  of  the  type 
theory  introduced  by  Martin-Lof  [Mar75],  [Mar82],  and  [Mar84]x.  This  chapter  will 
be  devoted  to  the  theory  of  constructions. 

The  proofs  in  this  chapter  will  be  given  in  more  detail  than  in  previous  chapters. 
This  is  because  the  system  is  new  and  some  of  the  proofs  are  difficult.  In  fact, 
Martin-Lof  [Mar71b] l  2  presented  a  proof  of  normalization  for  a  system  which  was 
later  shown  not  to  be  normalizable3.  For  this  reason,  the  important  proofs  in  this 
chapter  need  to  be  checked  carefully,  and  so  they  will  be  presented  in  considerable 
detail. 


lSee  alto  [Bee85]  Chapter  XI. 

3  An  early  version  of  [Mar75]. 

3See  [Coq86a]. 
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4.1  The  theory  of  constructions:  natural  deduction 
formulation. 

The  theory  of  constructions,  or  TAC,  combines  the  kind  of  generalized  type  assign¬ 
ment  of  systems  such  as  TAG  and  TAGU  with  the  formulas  as  types  isomorphism 
used  in  defining  TAT. 

As  we  remarked  at  the  end  of  Section  2.8,  one  of  the  weaknesses  we  want  to 
eliminate  in  this  system  is  the  fact  that  in  TAGU  we  cannot  quantify  over  compound 
types  built  up  from  Prop.  For  this  reason,  as  in  TAT,  we  need  a  notion  of  type.  But 
unlike  TAP,  we  cannot  define  the  types  as  a  fixed  set  of  terms.  Instead,  we  need  to 
indicate  the  types  by  the  rules  of  the  system.  Thus,  in  addition  to  formulas  of  the 
form  M  :  A,  we  need  formulas  of  the  form 

A  :  Type 

The  types  are  then  specified  by  the  deductive  rules  of  the  system. 

Definition  4.1  (TAC  terms)  The  terms  of  TAC  are  the  terms  of  TAGU  (Def¬ 
inition  2.23),  where  U  is  denoted  by  Prop,  except  that  there  is  a  new  constant, 
Type. 

The  original  intention  was  that  Type  would  not  be  part  of  any  compound  type. 
However,  it  has  since  turned  out  that  it  is  convenient  to  have  Type  occurring  as  a 
certain  part  of  certain  compound  types,  as  we  shall  see  below. 

Definition  4.2  (The  type  assignment  system  TAC)  The  system  TAC  is  a 
natural  deduction  system.  Its  formulas  are  of  the  form 

M  :  A, 

where  M  and  A  are  terms.  There  is  one  axiom: 

(PT)  Prop  :  Type. 
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The  rules  are  as  follows: 


Rules  of  type  formation: 


(PP  Formation) 

[x:A] 

A  :  Prop  B  :  Prop 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 

(Vx  :  A)B  :  Prop 

assumption. 

(TP  Formation) 

[x  :  A] 

A  :  Type  B  :  Prop 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 

(Vx  :  A)B  :  Prop 

assumption. 

(PT  Formation) 

[x  :  A] 

A  :  Prop  B  :  Type 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 

(Vx  :  A)B  :  Type 

assumption. 

(TT  Formation) 

[x:A\ 

A  :  Type  B  :  Type 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 

(Vx  :  A)B  :  Type 

assumption. 

(Eq'P) 

A  :  Prop  A  =»  B 

B  :  Prop 

(Eq'T) 

A  :  Type  A=»  B 

B  :  Type 

Rules  of  type  assignment: 

(Ve) 

M  :  (Vx  :  A)B  N  :  A 

MN  :  [Nfx]B 
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(VPi) 

[X  :  A] 

M  :  B  A:  Prop 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 

A x:A  .  M  :  (Vx  :  A)B 

assumption. 

(VTi) 

[x:A] 

M  :  B  A:  Type 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 

A x:A  .  M  :  (Vx  :  A)B 

assumption. 

(Eq") 

# 

ii 

(='a) 

M  :  A 

N  :  A 

Condition:  N  is  ob¬ 
tained  from 

M  by  changes  of  bound 

variables. 


(Note  that  several  rules  listed  earlier  axe  listed  here  in  full:  since  this  system  is 
the  main  subject  of  this  work,  it  was  felt  to  be  important  to  make  this  definition 
relatively  self-contained.) 

It  is  possible  to  state  the  rules  of  this  system  in  a  more  compact  form.  To  do 
this,  we  define  the  kinds  to  be  the  two  terms  Prop  and  Type.  Then  if  we  let  k  and 
k'  be  any  two  kinds,  the  rules  of  type  formation  can  be  stated  as  follows: 

Condition:  x 

does  not  occur  free  in  A 
or  in  any  undischarged 
assumption. 

(Eq'#c)  A:  k  A  =*  B 

B  :  k 


(kk! Formation)  [x  :  A] 

A:  k  B  :  k' 

(Vx  :  A)B  :  k! 
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Furthermore,  the  rules  for  (Vi)  can  be  combined  as  follows: 


(V*ei)  (x  :  A] 

M : B  A.k 

A x:A  .  M  :  ( Vx  :  A)B 
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4.2  The  basic  metatheory  of  the  theory  of  construc¬ 
tions 

Theorem  2.7  can  be  extended  to  TAC: 

Theorem  4.1  Every  deduction  in  TAC  can  be  transformed  into  a  deduction  with 
the  same  undischarged  assumptions  and  conclusion  in  which  each  inference  by  any 
of  the  rules  (Eq")  and  (Eq'/c)  occurs  just  above  the  major  (left)  premise  for  an 
inference  by  (Ve)  (in  which  case  it  is  an  inference  by  rule  (Eq"))  or  just  above  the 
minor  (right)  premise  for  an  inference  by  (V/ei)  (in  which  case  it  is  an  inference  by 
rule  (Eq'/c))  or  just  above  the  conclusion.4 

Proof  Similar  to  the  proof  of  Theorem  2.7.  The  definitions  of  independent  subd¬ 
eduction  and  dependent  subdeduction  will  be  obtained  from  those  of  the  proof  of 
Theorem  2.7  with  U  replaced  by  any  kind  k.  In  addition  to  transformations  II  and 
III  from  the  proof  of  Theorem  2.5,  we  need  the  following  transformations  (corre¬ 
sponding  to  transformations  IV- VI  of  the  proof  of  Theorem  2.7): 

VII. 


C:k 


A  :  k 


-  (Eq'/c) 


(V*  :  A)B  :  k' 


[x:A] 
V2(x) 
B  :  k' 


(kk' Formation  -  1) 


4  Here,  just  above  the  conclusion  means  what  it  did  in  Theorem  2.7,  and  there  may  be  two  such 
inferences,  one  by  rule  (Eq’ie)  and  the  next  one  by  rule  (Eq"). 


1 

[x:C] 


VIII. 


to 


P  x 


x  :  A 
V2(x) 


(Eq") 


C  :  k  B  :k' 

-  (/« /^Formation  -  1) 

(Vx  :  C)B  :  k' 

-  (EqV) 

(Vx  :  A)B  :  k' 


P3 


1 

[x:A] 
V2(x) 
C  :  k' 

B:k' 
(Vx  :  A)B  :  k' 

P3 


Pi 
A  :  k 


(EqV) 

(K/c'Formation  -  1) 


1 


[x  -A] 

Pi  Pa(») 

A  :  k  C  :k' 

-  (/^'Formation  -  1) 

(Vx  :  A)C  :  k' 

- (EqV) 

(Vx  :  A)B  :  k' 

P3 
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From  now  on,  we  shall  assume  without  further  comment  that  the  transformation 
given  by  Theorem  4.1  has  been  carried  out  in  any  deduction.  In  some  cases,  when 
deductions  are  put  together,  inferences  by  equality  rules  will  be  indicated  at  places 
other  than  those  specified  by  the  theorem;  this  will  mean  the  deduction  obtained 
from  the  one  shown  by  carrying  out  the  transformation  given  by  Theorem  4.1. 

TAC  is  clearly  an  extension  of  the  system  TAGU,  i.e.,  of  the  system  TAGL  of 
Hindley  &  Seldin  [HS86]  Section  16E.  This  means  that  TAP  can  be  interpreted  in 
it. 

Theorem  4.2  TAP  can  be  interpreted  in  TAC. 
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Proof  See  Hindley  &  Seldin  [HS86]  Theorem  16.66.  ■ 


Now  let  us  turn  to  the  general  theory  of  TAC.  The  first  result  we  have  is  that 
Type  and  Prop  control  terms  which  can  occur  as  “types”  the  way  we  expect  them 
to.  To  see  this,  we  need  first  to  consider  the  conditions  under  which  assumptions 
may  be  discharged.  For  each  rule  that  discharges  an  assumption  of  the  form  x  :  A , 
there  is  the  independent  subdeduction,  the  conclusion  of  which  is  either  A  :  Prop 
or  A  :  Type.  This  fact  and  the  conditions  on  the  occurrences  of  the  variables  of 
discharged  assumptions  imply  that  assumptions  must  be  discharged  in  a  certain 
order.  Thus,  instead  of  sets  of  assumptions,  we  axe  really  interested  in  sequences  of 
assumptions.  Now  suppose  that  we  are  given  a  sequence  of  assumptions  of  the  form 

Zi  :  A\  x2  :  A2,  •  • . ,  xn  :  An 


Suppose  that  the  assumption  that  we  wish  to  discharge  is  always  the  last  of  the 
sequence.  Under  what  conditions  can  the  last  assumption  be  discharged?  And 
more  generally,  under  what  conditions  is  it  always  possible  to  discharge  the  last 
assumption  of  any  initial  segment  of  this  sequence?  It  is  not  difficult  to  see  that  the 
conditions  are  those  of  the  following  definition: 

Definition  4.3  ((Well-formed)  environments)  A  (well-formed)  environment  is 
a  sequence  of  assumptions 

xi  :  Au  x2  :  A2,  ...,  zn  :  An  (4.1) 


such  that,  for  i  =  1,2,...,  n  -  1,  the  following  two  properties  hold: 

(a)  z,-  does  not  occur  free  in  Aj,A2,...,Ai  (but  may  occur  free  in  A,+i, . . . ,  An); 
and 

(b)  either 

xi  :  Ai,z2  :  A2,...,x,-  :  A,  I-tac  ^«'+i  :  ProP 


or 

®i  :  A\, z2  :  A2, . . .  ,z,- :  A,-  I“tac  Ai+j  :  Type. 

We  can  now  see  that  the  terms  which  can  be  proved  to  be  in  Type  are  really 
quite  limited. 


Theorem  4.3  If 

r  l-TAC  A:  Type, 

for  any  set  of  assumptions  T,  then  for  some  n  >  0  and  for  some  terms 
Ai,  A2,  ...,  An,  and  for  a  sequence  of  pairwise  distinct  variables  zi,  x2,  ...,  xn, 

A  =,  (Vxi  :  Ai)(Vz2  :  A2) . . .  (Vx„  :  An)Prop. 
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Proof  This  follows  immediately  from  the  fact  that  any  formula  of  the  form  A  :  Type 
can  occur  only  as  the  axiom  (P  T)  or  as  the  conclusion  of  one  of  the  rules  (kT 
Formation)  or  (Eq'T).  ■ 

Definition  4.4  (Context)  A  context  is  a  term  A  satisfying  the  conclusion  of  The¬ 
orem  4.3.  If  A  is  a  context,  and  if  the  conclusion  of  Theorem  4.3  is  that  A  is 
convertible  to 

(Vi!  :  -41)(Vi2  : A2) . . .  (Va„  :  An)Prop,  (4.2) 

then  4.2  is  called  a  standard  form  of  A ,  n  is  called  the  index  of  the  standard  form, 
and  Ai,  A2,  . . . ,  An  are  called  its  prefix  types. 

It  is  easy  to  see  (by  the  Church- Rosser  theorem)  that  two  standard  forms  can 
be  standard  forms  of  the  same  context  if  and  only  if  they  have  the  same  index  and 
corresponding  prefix  types  are  convertible.  This  means  that  we  can  speak  of  the 
index  of  a  context ,  and  if  we  are  willing  to  consider  equivalence  classes  of  convertible 
terms,  we  can  speak  of  the  prefix  types  of  a  context.  It  is  also  easy  to  see  that  any 
context  can  be  reduced  to  one  of  its  standard  forms. 

Contexts  have  a  clear  meaning:  each  context  is  the  type  of  propositional  func¬ 
tions  of  a  certain  number  of  arguments  over  certain  terms  as  “types”.  Obviously, 
contexts  are  really  useful  only  when  the  prefix  types  are  either  in  Prop  or  in  Type. 
For  this  reason,  we  would  like  to  know  which  contexts  can  be  shown  (perhaps  using 
assumptions)  to  be  in  Type;  i.e.,  we  want  as  general  as  possible  a  partial  converse 
to  Theorem  4.3. 

Definition  4.5  (Well-formed  context)  A  context  is  said  to  be  well-formed  if 
and  only  if  it  has  a  standard  form  (4.2)  such  that  the  corresponding  sequence  of 
assumptions  (4.1)  is  a  well-formed  environment. 

It  is  easy  to  show  the  following  result: 

Theorem  4.4  If  A  is  a  well-formed  context,  then 

Htac  A  :  Type.5 

We  would  like  to  show  that  a  context  cannot  be  assigned  a  type  other  than  Type. 
To  do  this,  we  need  to  consider  places  that  Type  can  occur  in  a  deduction.  It  may 

4 It  is,  in  fact,  easy  to  strengthen  Theorem  4.3  to  show  that  if  I-tac  A :  Type  then  A  is  a 
well-formed  context. 
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appear  that  it  occurs  only  on  the  right  of  the  colon  and  then  only  alone.  But  this 
is  not  the  case,  for  consider  the  following  example: 

Prop  :  Type  Prop  :  Type 

-  (VTi-v) 

Ax:Prop  .  Prop  :  (Vx  :  Prop)Type 

What  we  can  prove  about  occurrences  of  Type  requires  a  definition: 

Definition  4.6  (Supercontext)  A  term  A  is  a  supercontext  if 

A  =,  (Vsi  :  Ai) . . .  (Vxn  :  An)Type 

where  (Vxi  :  Ax) . . .  (Vxn  :  An)Prop  is  a  well-formed  context.  Here,  (Vxi  : 
Ax)...(Vxn  :  An)Type  is  called  a  standard  form  of  A,  n  is  called  the  index  of 
the  standard  form,  and  Ai,  A2,  . . . ,  An  are  called  its  prefix  types. 

The  remarks  after  Definition  4.4  about  the  standard  forms  of  contexts  apply 
equally  to  those  of  supercontexts. 

The  result  we  want  is  now  as  follows: 

Theorem  4.5  (a)  If  T  is  a  well-formed  environment  and  if 

T  bpAC  M  :  A, 

then  M  reduces  to  a  term  in  which  there  is  no  occurrence  of  Type. 

(b)  If  F  is  a  well-formed  environment  and  if 

T  Ktac  M  :  A, 

and  if  there  is  an  occurrence  of  Type  in  every  term  to  which  A  reduces,  then  A  is  a 
supercontext.6 

Proof  (a)  By  induction  on  the  deduction  of 

T  Htac  M  :  A. 

®Since  it  is  not,  in  general,  decidable  whether  or  not  there  is  an  occurrence  of  Type  in  every 
term  to  which  a  given  term  reduces,  it  may  appear  that  this  theorem  involves  a  nonconstructive 
use  of  the  law  of  excluded  middle.  But  in  fact,  all  that  is  really  needed  for  part  (b)  is  that  it  is 
not  possible  to  determine  from  the  deduction  that  there  is  a  reduction  from  the  term  to  a  term  in 
which  Type  does  not  occur,  and  this  can  be  constructively  determined. 
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(Note  that  the  type  of  each  variable  in  a  well-formed  environment  satisfies  the 
conditions  of  the  lemma.)  In  the  cases  for  rules  (Eq,«),  the  conclusion  follows 
via  the  Church-Rosser  theorem  and  the  fact  that  no  reduction  can  introduce  an 
occurrence  of  Type  into  a  term.  The  remaining  cases  are  easy. 

(b)  By  induction  on  the  deduction  of 

r  Htac  M  :  A. 

The  only  difficult  case  is  rule  (Ve);  in  this  case,  suppose  that  the  inference  is 

M  :  (Vx  :  B)C  N:B 
MN  :  [Nfz]C 

If  there  is  an  occurrence  of  Type  in  every  term  to  which  [N/x]C  reduces,  then  by 
(a)  there  is  an  occurrence  of  Type  in  every  term  to  which  N  reduces  and  hence  also 
in  every  term  to  which  C  reduces.  Hence,  there  is  an  occurrence  of  Type  in  every 
term  to  which  (Vi  :  B)C  reduces.  Thus,  by  the  induction  hypothesis  (on  the  left 
premise),  (Vx  :  B)C  is  a  supercontext.  It  follows  that  C  and  hence  also  [N/x]C  tire 
also  supercontexts.  ■ 

Define  an  occurrence  of  a  subterm  A  of  a  term  M  to  be  the  type  of  a  bound 
variable  if  A  is  the  indicated  part  of  a  subterm  of  the  form  \x:A  .  N  or  (Vx  :  A)B. 

Theorem  4.8  Let  V  be  a  well-formed  environment,  and  suppose 

T  hxAC  M  :  A, 

where  A  is  not  a  supercontext.  Then  M  =,  N  for  some  term  N  in  which  every 
occurrence  of  the  atomic  term  Prop  is  inside  the  type  of  a  bound  variable.7 

Proof  By  induction  on  the  deduction  of  T  Htac  M  :  A.  ■ 

Corollary  4.0.1  If  T  is  a  well-formed  environment,  and  if 

T  l-TAC  M  :  A, 

where  A  is  not  a  supercontext,  then  M  is  not  a  context. 

7The  condition  of  the  theorem  that  A  is  not  a  supercontext  is  not  constructively  decidable. 
However,  all  that  is  really  necessary  for  the  theorem  is  that  it  not  be  possible  to  read  from  the 
deduction  in  question  that  A  is  a  supercontext,  and  this  can  be  constructively  determined. 
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Corollary  4.6.2  If  T  is  a  well-formed  environment,  and  if 

r  1~tac  -W  •  k  <*nd  r  l-TAC  XI  :  n' , 


then  k  = 

Proof  Otherwise,  we  have  T  1~tac  M  :  Prop  and  T  Kxac  XI  :  Type,  from.  which 
we  get  by  Theorem  4.3  that  M  is  a  context  and  from  Corollary  4.6.1  that  it  is  not 
a  context.  ■ 


It  is  not  hard  to  generalize  Theorem  4.3  to  the  following: 

Theorem  4.7  If  *v 

r  1~tac  A  :  B, 

where  B  is  a  supercontext,  then 

A  =,  Axi:Ai  .  Xx2‘. :  Ai  .  ...  Axm: :  Am  .  A',  (4.3) 

where  A'  is  a  context. 


Definition  4.7  (Context  Function)  A  term  A  satisfying  the  conclusion  of  The¬ 
orem  4.7  is  called  a  context  function.  If  A1  is  a  standard  form,  then  the  form  on 
the  right  of  4.3  is  called  a  standard  form  of  A,  and  its  index  is  m  plus  the  index 
of  A'.  All  of  the  remarks  and  conventions  regarding  standard  forms  and  indices  of 
contexts  apply  to  those  of  context  functions. 

Now  let  us  consider  the  subject-reduction  theorem  (Theorem  2.1)  .  In  order  to 
prove  it,  we  need  a  replacement  theorem  corresponding  to  Lemma  2.1.  Lemma  2.1 
is  stated  in  terms  of  the  subject-construction  theorem,  which  is  much  more  compli¬ 
cated  to  state  for  TAC  than  it  is  for  TA,  but  the  part  of  the  lemma  corresponding  to 
the  subject-construction  theorem  is  not  needed  for  the  subject-reduction  theorem. 
Another  complication  arises  from  the  fact  that  changes  in  a  term  to  which  a  type 
is  assigned  may  be  reflected  later  in  a  deduction  in  the  types  themselves.  However, 
in  the  case  of  the  replacement  lemma  needed  for  the  subject-reduction  theorem,  a 
term  is  replaced  by  a  convertible  term,  so  by  rule  (Eq"),  the  later  types  need  not 
be  changed.  (See  Hindley  &  Seldin  [HS86]  Lemma  16.39.)  It  is  sufficient  to  have 
the  following  result  (which  is  called  a  theorem  because  it  is  more  substantial  than 
Lemma  2.1): 
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Theorem  4.8  (Replacement)  Let  Ti  be  any  well-formed  environment,  and  let  V 
be  a  deduction  of 

Ti  Htac  M  :  A. 

Let  V  :C  be  any  statement  in  V,  let  V\  be  that  part  ofV  ending  in  V  :  C,  let  Vi  be 
the  rest  ofV,  and  let  x\  :  B\,  xi :  Bi,  . ..,  xn  :  Bn  be  the  assumptions  of  V\  that 
are  discharged  in  Vi.  Let  W  be  a  term  such  that  W  =»  V  and  FV(W)  C  FV(V), 
and  suppose  that  Ti  is  a  well- formed  environment  in  which  x\,  xi,  . ..,  xn  do  not 
occur  free.  Suppose  that  Vi  is  a  deduction  of 

r2  j  x i  ;  B\ , . . . ,  Xn  :  Bn  Hxac 

Then  replacing  V\  by  Vi  in  V  results  in  a  deduction  V4  of 

Ti,T2  1-tac  M*  :  A, 

where  M*  is  obtained  from  M  by  replacing  appropriate  occurrences  of  V  by  W.s 

Proof  By  induction  on  the  structure  of  Vi. 

Basis .  There  are  two  cases. 

Case  1.  Vi  consists  of  the  single  statement  V  :  C.  Then  M  is  V,  M *  is  W,  and 
Z>4  is  just  Vi. 

Case  2.  Vi  consists  only  of  the  axiom  (P  T).  Then  the  replacement  is  vacuous, 
W  =  V  =  Prop,  and  V4  consists  only  of  the  axiom  (P  T). 

Induction  step:  We  have  the  following  cases  depending  on  the  last  inference  in 

Vi. 

Case  1.  The  last  inference  of  Vi  is  (kk1  Formation) .Then  A  is  k1,  M  is 
(Vx  :  B)E,  and  V  is 

1 

[*••&} 

V$  V6(x) 

B  :  k  E  :  k' 

-  (K/c'Formation  -  1) 

(Vx  :  B)E  : 

*It  is  difficult  to  describe  exactly  the  replacements  which  are  required  to  obtain  M*  from  M, 
but  it  is  possible  to  read  the  replacement  process  from  the  proof.  It  is  worth  noting  that  the  part 
of  X>4  which  is  not  included  in  V3  has  exactlythe  same  inference  rules  in  the  same  relative  positions 
as  Vi  except  perhaps  for  some  inferences  by  (Eq'a),  (Eq"),  or  (='<,). 


100 


where  the  occurrence  of  V  :  C  is  either  in  V$  or  in  Vq(x).  By  the  induction 
hypothesis,  the  replacement  of  V\  by  Vz  in  Vz  and  T>e(*)  leads  to  deductions  V7 
and  V&(x)  of,  respectively, 

ri,r2  Htac  B*  :  k 

and 

ri,r2,x:f?  I-TAC  Em  :  k' 

for  appropriate  B*  and  E*.  Since  V  =,  W,  B*  =»  B,  and  so  V4  is  as  follows: 


1 


V7 

Bm  :  k 

-  (Eq'/c) 

B  :  k 


[x  :  B] 
Va(x) 
E*  :  k' 


-  (^'Formation  -  1) 

(Vx  :  B)E *  : 

Case  2.  The  last  inference  of  V  is  by  {Eq'n).  Then  A  is  k  and  V  is 


Vz 

N:k 

-  (Eq'K) 

M  :  k, 

where  N  =,  M.  By  the  induction  hypothesis,  the  replacement  of  V\  by  T>z  in  V$ 
leads  to  a  deduction  Z>e  of 

ri,r2  Htac  N*  =  * 

for  an  appropriate  N *.  Since  Nm  =«  N  =»  M,  we  can  take  M*  =  M ,  and  then  V\ 
is  obtained  from  Vz  by  an  inference  by  ( Eq'n ). 

Case  3.  The  last  inference  of  V  is  by  (Ve).  Then  M  is  MiMi,A  is  [M2/x]A', 
and  V  is 

Vz  Vq 

Mi  :  (Vx  :  B)A'  M2  :  B 

-  (Va  e) 

M2  :  [M2/x]A'. 

By  the  induction  hypothesis,  the  replacement  of  Vi  by  Vz  in  Vz  and  Vz  leads  to 
deductions  D7  and  Vz  of 

Ti,r2  f-TAC  M{  :  (Vx  :  B)A' 
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and 


ri,r2  ^tac  :  B 

for  appropriate  M[  and  M%.  Furthermore,  =,  M2.  Hence,  £>4  is 


V7 

M{  :  (Vx  :  B)A' 


Ve 

m;-.b 


M{Mi  :  [M2*/x]A# 
M*Mi  :  [M2/x]A\ 


(Va  e) 


(Eq") 


Case  4‘  The  last  inference  of  V  is  by  (V/ci).  Then  A  is  (Vx  :  B)E,  M  is  Ax  : 
B  .  N,  and  V  is 

1 


[x:B] 
Vs(x) 
N  :  E 


V6 
B  :  k 


(V*i  -  1) 


A x-.B  .  JV  :  (Vi  :  B)£. 

By  the  induction  hypothesis,  the  replacement  of  V\  by  V3  in  £>5(1)  and  V&  leads 
to  deductions  £>7(1)  and  £>8  of 


Ti,r2,x  :  B  I-tac  N*  :  E 


and 


rx,r2  I-tac  B*  •  « 

for  appropriate  N *  and  B *,  where  B *  =«  i?.  Then  £>4  is  as  follows: 


1 

[x:B] 

V7(x) 

N*  :  E 

\x::B  .N*  :  (Vx  :  B)E. 


Bm  :  k 
B  :  k 


(Eq'ic) 
(VKi  -  1) 
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Case  5.  The  last  inference  of  V  is  by  (Eq").  Then  V  is 


2>s 

M:B 
M  :  A , 


(Eq") 


where  A  =,  B.  By  the  induction  hypothesis,  the  replacement  of  V\  by  V3  in  T>$ 
leads  to  a  deduction  of 

ra,r2  t~TAC  M*:B 

for  appropriate  Mm,  and  X>4  is  obtained  by  adding  an  inference  by  (Eq")  at  the  end. 
Case  6.  The  last  inference  in  V  is  by  (=a).  Then  V  is 


N  :  A 


where  M  is  obtained  from  N  by  changes  of  bound  variables.  By  the  induction 
hypothesis,  the  replacement  of  V\  by  V3  in  Vs  leads  to  a  deduction  X>6  of 

Ti.rj  hTAc  N *  :  A 

for  appropriate  N*.  Since  FV(W)  C  FV(V),  the  changes  of  bound  variables  which 
occur  in  passing  from  N  to  M  will  take  Nm  to  the  desired  Mm,  and  so  V\  can  be 
obtained  from  V6  by  adding  an  inference  by  (=(,).  ■ 


We  can  use  this  theorem  to  prove  the  subject-reduction  theorem  the  same  way 
that  Lemma  16.39  of  Hindley  k  Seldin  [HS86]  is  used  to  prove  Theorem  16.41: 


Theorem  4.9  (Subject- reduct  ion  theorem)  Let  T  be  a  well-formed  environ¬ 
ment.  If 

r  l-TAc  M  :  A 


and  MN,  then 


r  l-TAc  N  :  A. 


(See  also  the  proof  of  Hindley  k  Seldin  [HS86]  Theorem  15.17). 
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As  in  Hindley  &  Seldin  [HS86]  §16D2,  the  subject-reduction  theorem  is  related 
to  the  normalization  theorem.  In  particular,  it  tells  us  the  result  of  performing  a 
reduction  step  on  a  valid  deduction  is  another  valid  deduction.  The  reduction  steps 
that  interest  us  are  the  following: 

k  reductions.  A  deduction  of  the  form 

1 

[*:A] 

T>i(x)  V2 

M  :  B  A:  k 

A x:A  .  M  :  (Vx  :  A)B  ^  ^ 

-  (Eq") 

A x:A  .  M  :  (Vx  :  C)B 

(A x:A  :  M)N  :  [N/x]B 


Vz 

N  :C 

-  (Vq  e) 


reduces  to 

Vz 

N:C 

-  (Eq") 

N  :  A 
Vx{N) 

[n/x]M  :  [N/x]B 

Vj, 

where  V 4  is  obtained  from  2)4  by  replacing  appropriate  occurrences  of  (Ax:  a  .  M)N 
by  [N/x]M  according  to  Theorem  4.8. 

Here,  the  formula  A x:a  .  M  :  (Vx  :  C)B  the  cut  formula  of  the  reduction  step. 
A  reduction  is  a  (possibly  empty)  sequence  of  replacements  using  these  reduction 
steps. 

A  special  case  of  a  k  reduction  step  is  a  context-reduction  step  or  c-reduction 
step  in  which  B  is  a  context  or  a  supercontext.  A  context-reduction  or  c-reduction  is 
a  reduction  in  which  each  reduction  step  is  a  c-reduction  step.  A  deduction  will  be 
said  to  be  context-normal,  or  c-normal  if  it  contains  no  cut  formulas  for  c-reduction 
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steps.  It  turns  out  to  be  easy  to  prove  that  every  deduction  can  be  reduced  to  a 
c-normal  deduction  using  the  notion  of  the  degree  of  a  term,  and  that  this  partial 
normalization  result  is  important  in  proving  the  full  normalization  theorem. 

Definition  4.8  (Degree  of  a  term)  Let  A  be  a  term  such  that  there  is  a  step 
M  :  A  in  a  deduction  in  TAC.  Then  the  degree  of  A  relative  to  the  deduction  is 
defined  as  follows: 

(a)  if  A  is  not  a  context  or  a  supercontext,  then  the  degree  of  A  is  0; 

(b)  the  degrees  of  Prop  and  Type  are  1; 

(c)  the  degree  of  (Vx  :  A)B  is  one  more  than  the  maximum  of  the  degrees  of  A  and 
B]  and 

(d)  if  A  =«  B,  then  the  degree  of  A  is  equal  to  the  degree  of  B. 

Since  only  contexts  and  supercontexts  have  nonzero  degrees,  the  definition  of  a 
context  is  enough  to  guarantee  that  the  degree  of  a  term  relative  to  a  deduction  is 
well  defined. 

Remark  Since  it  is  not  possible  to  decide  mechanically  for  a  given  term  whether 
or  not  it  is  a  context  or  a  supercontext,  it  may  appear  that  this  definition  uses 
the  law  of  the  excluded  middle,  which  is  invalid  in  constructive  logic,  to  define  the 
degree  of  a  term.  But  this  is  not  really  the  case;  for  in  calculating  the  degree  of  a 
given  context  or  supercontext,  it  is  only  necessary  to  calculate  the  degree  of  terms 
A  which  are  either  Prop  or  Type  or  for  which  there  is  a  step  in  the  deduction  of  the 
form  A  :  Type  or  A  :  Prop,  and  then  the  degree  of  A  can  be  determined  by  which  of 
these  situations  occurs.  (It  is  impossible  to  have  more  than  one  by  Theorems  4.3, 
4.4,  4.5  and  4.6,  and  it  is  possible  to  determine  mechanically  which  occurs.) 

Note  that  the  degree  of  a  term  relative  to  a  deduction  is  invariant  of  /3-conversion. 

Theorem  4.10  Every  deduction  in  TAC  with  conclusion  M  :  A  can  be  reduced  to 
a  c-normal  deduction  with  the  same  undischarged  assumptions  and  with  conclusion 
N  :  A,  where  MN . 

Proof  Let  the  degree  of  a  cut  formula  be  the  degree  of  its  type  with  respect  to 
the  deduction.  Note  that  if  a  cut  formula  is  removed  by  a  reduction  step,  the 
degree  of  another  cut  formula  which  had  lower  degree  before  the  reduction  step  and 
which  occurs  in  the  deduction  after  the  reduction  is  unchanged.  Let  the  index  of 
a  deduction  be  the  pair  ( d,n ),  where  d  is  the  maximum  degree  of  any  cut  formula 
in  the  deduction  and  n  is  the  number  of  cut  formulas  in  the  deduction  with  degree 
d.  If  the  pairs  are  ordered  as  in  the  proof  of  Theorem  1.2,  and  if  reduction  steps 
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are  carried  out  in  the  same  order  (the  cut  formula  has  degree  d,  and  there  is  no  cut 
formula  with  degree  d  in  P3),  then  an  argument  like  that  of  the  proof  of  Theorem  1.2 
shows  that  every  deduction  can  be  reduced  to  a  deduction  with  no  cut  formulas. 
It  should  be  clear  from  the  nature  of  the  reduction  steps  that  a  reduction  changes 
only  the  term  to  the  left  of  the  colon  in  any  formula  by  carrying  out  a  sequence  of 
contractions.  ■ 

Definition  4.9  The  term  N  of  Theorem  4.10  will  be  called  a  c-normal  form  of  M. 

In  terms  of  this  definition,  Theorem  4.10  says  that  every  term  to  which  a  type 
is  assigned  by  TAC  has  a  c-normal  form. 

This  partial  normalization  result  is  important  for  the  full  normalization  theorem 
because  it  gives  us  some  useful  information  about  terms  A  for  which  it  is  possible  to 
prove  T  hxAC  A  :  Prop.  To  obtain  this  information,  we  need  the  following  lemmas: 

Lemma  4.1  Let  V  be  a  c-normal  deduction  of 

r  Nac  A  :  Prop, 

where  T  is  a  well- formed  environment.  Then  either  A  =,  (Vx  :  B)C  for  some  terms 
B  and  C  and  some  variable  x  which  does  not  occur  free  in  T,  or  A  =*  xM\Mi . . .  Mp 
for  some  variable  x,  some  natural  number  p  ( which  may  be  0),  and  some  terms 
. .  ,Mp,  and  furthermore,  it  can  be  decided  constructively  which  of  these 
alternatives  holds. 

Proof  Consider  the  last  inference  in  V  which  is  not  by  (Eq"),  (Eq'P),  or  (=«).  This 
inference  cannot  be  by  (Vfci)  since  the  type  of  the  conclusion  is  an  atomic  constant, 
so  the  only  remaining  possible  rules  are  («P  Formation)  and  (Ve).  Which  of  these 
rules  actually  occurs  can  be  decided  constructively  (by  inspection  of  the  deduction). 

If  the  inference  is  by  (kP  Formation),  then  there  axe  terms  B  and  C  and  a 
variable  x  which  does  not  occur  free  in  T  such  that  A  =*  (Vx  :  B)C. 

If  the  inference  is  by  (Ve),  then  consider  the  left  branch  of  the  deduction.  As 
we  travel  up  that  branch  from  the  bottom,  the  only  inferences  we  find  are  by  (Ve), 
(Eq"),  (=Q),  and  perhaps  (Eq'P)  at  the  very  bottom.  This  means  that  the  formula 
at  the  top  of  the  left  branch  must  be  an  undischarged  assumption,  and  it  must 
therefore  be  in  T.  It  follows  that  this  statement  must  have  the  form  x  :  B,  where 
B  =,  (Vx  :  Ci) . . .  (Vx  :  Cp)Prop  for  some  natural  number  p  (which  may  be  0).  Then 
we  must  have  A  =,  xM\ . . . Mp  for  some  terms  Mi,..., Mp.  ■ 
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Definition  4.10  (Simple  and  compound  deductions)  If  V  is  a  deduction  as 
in  Lemma  4.1,  then  it  will  be  called  compound  if  the  first  case  of  the  lemma  holds 
and  simple  if  the  second  case  holds.  If  A  is  a  term  such  that  A  :  Prop  is  the  conclusion 
of  such  a  deduction  V,  then  A  will  be  simple  [compound^  if  D  is  simple  [compound]. 

Lemma  4.2  If  there  is  a  deduction  of 

r  1"tac  A :  Prop, 

then  there  is  a  c-normal  deduction  of  it. 


Proof  Let  V  be  the  given  deduction.  By  Theorem  4.10  there  is  a  c-normal  deduction 
of 


r  1“tac  B  :  Prop, 


where  AB.  By  adding  one  inference  by  (Eq'P)  at  the  end,  we  get  the  desired 
c-normal  deduction  of 

T  hpAC  A  :  Prop. 


By  Lemma  4.2  and  Definition  4.10,  every  type  in  Prop  (with  respect  to  a  given  . 
well-formed  environment)  is  either  simple  or  compound,  and  it  is  possible  to  decide 
constructively  which  it  is.  Furthermore,  the  compound  types  are  formed  by  repeated 
use  of  the  operation  V  from  the  simple  types  and  Prop.  Note  that  the  contexts  are 
formed  in  more  or  less  the  same  way. 

Lemma  4.3  If  V  is  a  deduction  of 

T  Htac  (Vx  :  A)B  :  Prop, 

where  x  does  not  occur  free  in  T  or  in  A  and  where  T  is  a  well-formed  environment, 
then  there  is  a  deduction  V  of 

T,x  :  A  Htac  b  :  Prop. 

Furthermore,  the  c-normal  deduction  to  which  V  reduces  has  fewer  inferences  by 
rules  other  than  (Eqw),  (Eq'ft),  and  (='a)  than  the  c-normal  deduction  to  which  V 
reduces. 

Proof  This  follows  from  Lemmas  4.1  and  4.2.  ■ 


107 


Theorem  4.11  If 

r  brAC  M  •  A, 

where  T  is  a  well-formed  environment  and  A  is  not  a  supercontext,  then 

r  l-TAC  A:  Type 
or 

r  Ktac  A  :  Prop. 

Proof  By  induction  on  the  length  of  the  deduction  V  with  the  conclusion  M  :  A. 
The  only  difficult  case  is  that  in  which  the  last  inference  of  V  is  by  rule  (Ve).  Then 
M  =  PN,  A  =  [N/x]C,  and  V  has  the  form 

Pi  P2 

P  :  (Vx  :  B)C  N  :  B 

- -  (Vcr  e) 

PN  :  [n/x]C. 

By  the  induction  hypothesis, 

T  1-TAC  (Vx :  B)C :  k,  -  (4.4) 

and 

r  Htac  B  :  k',  (4.5) 

If  we  have  k  =  Type,  then  4.4  must  be  the  conclusion  of  either  (/c^TFormation),  the 
premises  being  4.5  and 

r,x  :  B  ("tac  C’ :  Type. 

The  conclusion  then  follows  placing  V%  over  each  occurrence  of  the  assumption 
x  :  B.  If  k  =  Prop,  we  use  Lemma  4.3  to  carry  out  a  similar  argument  using  one  of 
the  rules  rules  (/cP  Formation).  ■ 

Lemmas  4.1  and  4.2  give  us  a  structure  on  the  types  in  Prop.  It  is  interesting 
to  note  that  the  other  types  have  exactly  the  same  structure.  By  Theorem  4.11, 
every  type  is  in  Prop,  in  Type,  or  is  a  supercontext.  It  is  clear  from  the  definition 
that  supercontexts  have  this  structure,  and  Theorem  4.3  tells  us  that  the  same  is 
true  for  contexts.  What  all  of  this  means  is  that  types  are  built  up  from  Type,  Prop, 
and  the  simple  types  by  the  operation  forming  (Vx  :  A)B. 

Theorems  4.3,  4.4  and  4.11  and  Corollary  4.6.1  allow  us  to  classify  all  formulas 
which  can  be  deduced  from  well-formed  environments: 
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Definition  4.11  (Classification  of  formulas)  A  formula  M  :  A  is  called: 

(a)  a  context  function  if  A  is  a  supercontext; 

(b)  a  context  if  A  =,  Type; 

(c)  a  proposition  function  if  A  is  a  context; 

(d)  a  proposition  if  A  =»  Prop;  and 

(e)  a  proof'd  A  is  neither  a  context  nor  a  supercontext. 

A  deduction  whose  undischarged  assumptions  form  a  well-formed  environment  is 
classified  according  to  its  last  formulas. 

This  classification  shows  the  connection  between  TAC  and  the  formulas-as-types 
isomorphism. 

We  would  like  to  extend  this  classification  to  the  terms  M  (at  least  relative  to 
a  given  well-formed  environment).  In  other  words,  we  modify  Definition  4.11  as 
follows: 

Definition  4.12  (Classification  of  terms)  A  term  M  is  called: 

(a)  a  T-context  function  if  there  is  a  supercontext  A  such  that  T  Htac  Af  :  A; 

(b)  a  T-context  if  T  Htac  Af  :  Type; 

(c)  a  T-proposition  function  if  there  is  a  context  A  such  that  T  Ptac  M  :  A; 

(d)  a  T-proposition  if  T  1~tac  Af  :  Prop;  and 

(e)  a  T-proofd  there  is  a  term  A  which  is  neither  a  context  nor  a  supercontext  such 
that  T  I~xac  Af  :  A. 

We  have  already  proved  (Corollary  4.6.1)  that  no  term  is  both  a  T-context 
function  and  a  T-proposition  function  or  both  a  T-context  function  and  a  T-proof. 
To  complete  the  proof  that  this  a  classification  is  exclusive,  we  need  the  following 
result. 

Theorem  4.12  If  T  is  a  well-formed  environment,  and  if 

T  1"tac  :  A  and  T  I~tac  Af* :  B , 

are  both  derivable,  where  M  and  M'  differ  only  by  changes  of  bound  variables,  then 
A  =*  B. 

Proof  By  induction  on  the  lengths  of  the  two  deductions,  V\  and  respectively. 

Case  1.  The  last  inference  in  V\  is  by  (Eq").  Assume  that  the  left  premise  is 
Af  :  A'.  By  the  induction  hypothesis,  A'  =,  B.  But  A  =*  A',  and  so  A  =,  B. 
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Case  2.  The  last  inference  in  Vi  is  by  (Eq").  Symmetric  to  Case  1. 

Case  S.  The  last  inference  in  neither  V\  nor  Vi  is  by  (Eq"). 

Subcase  8.1.  V\  consists  of  the  axiom.  Then  M  is  Prop  and  A  is  Type.  Then 
either  Vi  is  also  the  axiom,  in  which  case  B  is  Type  and  we  are  finished,  or  else  the 
last  inference  in  Vi  is  by  rule  (Eq'/c),  in  which  case  k  is  Type  by  Corollary  4.6.1. 

Subcase  8.2.  The  last  inference  of  V\  is  by  (/c/c'Formation).  Then  B  is  k!  by 
Corollary  4.6.2. 

Subcase  3.3.  The  last  inference  of  V\  is  by  (Eq'/c).  Then  by  Corollary  4.6.2,  B 
is  K. 

Subcase  3.4 •  The  last  inference  of  V\  is  by  (Va  e).  Then  the  last  inference  of  Vi 
is  either  (Va  e)  or  (Eq'/c).  If  it  is  (Eq'/c),  then  the  theorem  follows  by  Corollary  4.6.2 
Otherwise,  M  is  NP,  M'  is  N'P'  (where  N*  and  P'  differ  from  N  and  P  only  by 
changes  in  bound  variables,  A  is  [P/x]A',  B  is  [P/x]B',  V\  is 

V\\  V\i 

N  :  (Vx  :  C)A'  P  :  C 

-  (Va  e) 

NP :  [P/x]A', 


and  X>2  is 


Vix  Vn 

N  :  (Vx  :  D)B‘  P  :  B 

-  (Va  e) 

NP  :  [P/x]Bf. 


By  the  induction  hypothesis,  C  =,  D  and  (Vx  :  C)A'  =»  (Vx  :  D)B'.  It  follows  that 
A'  =  *B',  and  hence  A  =»  B. 

Subcase  3.5.  The  last  inference  in  V\  is  by  (V/ci).  Then  the  last  inference  in  Vi 
is  by  (V/ci),  M  is  A x:C  .  N,  M'  is  A x:C  .  N '  where  N  and  N'  differ  by  changes  in 
bound  variables,  A  is  (Vx  :  C)A',  and  B  is  (Vx  :  C)B'.  (There  is  no  loss  of  generality 
in  assuming  that  the  indicated  bound  variable  is  x  in  both  M  and  M'  because  if 
the  bound  variables  are  different  a  minor  modification  of  Vi  will  make  them  the 
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same.)  Furthermore,  V\  is 


1 


and  I>2  is 


[x:C] 

2>n 

N  :  A'  C:k 

-  (Vk i  -  1) 

Ax:C  .  N  :  (Vx  :  C)A' 

1 

[x:C] 


I>21 

IV' :  B'  C:k' 

-  (V*c'i  -  1) 

Ax:C  .  W' :  (Vx  :  C)P'. 

By  the  induction  hypothesis,  A'  =,  B',  and  it  dearly  follows  that  A  =*  B. 
Subcase  3.6.  The  last  inference  in  V\  is  by  (=£,).  This  case  is  trivial.  ■ 


Corollary  4.12.1  For  any  well-formed  environment  T,  no  term  is  both  a  T- 
proposition  function  and  a  T  -proof. 

Proof  Suppose  M  is  both  a  T-proposition  function  and  a  T- proof.  Then  there  is  a 
T-proposition  B  and  a  T-context  C  such  that 


T  I~tac  M  :  B  and  T  I~tac  M  :  C. 

Hence, 

r  Htac  B  :  Prop  and  T  I~tac  C  :  Type. 

By  the  theorem,  B  =*  C.  Hence,  by  the  Church-Rosser  Theorem,  there  is  a  term 
D  to  which  both  B  and  C  reduce  which  can  be  proved  on  the  basis  of  T  to  be  in 
both  Prop  and  Type,  contradicting  Corollary  4.6.2.  ■ 


Theorem  4.10  gives  us  the  following  characterization  of  T-proposition  functions: 

Theorem  4.13  If  T  is  a  well-formed  environment,  and  if  A  is  a  T-proposition 
function  which  is  not  a  proposition,  then  either  each  c-normal  form  of  A  has  the 
form  Xx:B  :  C,  in  which  case  the  type  assigned  to  A  by  T  converts  to  (Vx  :  B)F, 
where  F  is  a  context,  or  each  c-normal  form  of  A  has  the  form  xM\ . . .  Mn< 


111 


Proof  By  hypothesis,  there  is  a  c-normal  deduction  of 

T  HTac  D  :  (Vi :  B)E, 

where  AD,  which  is  a  c-normal  form  of  it,  and  B  is  a  context.  Except  for  (EqM) 
and  (=a)i  which  make  no  difference,  the  last  inference  in  this  c-normal  deduction 
must  be  (V#ci)  or  (Va  e).  If  it  is  (V#ci),  we  are  done.  If  it  is  (Va  e),  then  proceed 
up  the  left  branch  to  the  first  formula  which  is  not  the  conclusion  of  an  inference 
by  (— ►  e)  or  (Var  e).  Since  the  deduction  is  c-normal  and  since  T  is  a  context,  this 
formula  is  not  the  conclusion  of  an  inference  by  (Vici).  Hence,  it  is  an  assumption, 
and  D  has  the  form  xM\  ...Mn,  as  desired.  (That  all  c-normal  forms  of  A  are  of 
the  same  kind  follows  by  the  Church- Rosser  Theorem.)  ■ 

By  iterating  the  theorem,  and,  if  necessary,  replacing  terms  M  by  A y, .  Afy,-, 
where  y,  is  not  free  in  M,  we  can  prove  the  following  corollary: 

Corollary  4.13.1  Under  the  hypotheses  of  the  theorem,  if 

T  hTAC  A  :  (V®i  :  Bi) . . .  (Vx„  :  J?n)Prop, 

then  either  A  =„  XxiiBj  .  . . .  Xxn:Bn  .  A where  A'  is  a  Y -context,  or  else  every 
c-normal  form  of  A  has  the  form  xM\ . . .  Mn. 

Remark  It  is  worth  pointing  out  that,  as  we  have  formulated  TAC,  there  is  nothing 
to  exclude  making  an  assumption  of  the  form  x  :  A,  where  A  is  a  supercontext.  We 
have  not  considered  such  assumptions  so  far,  and  the  early  formulations  of  TAC 
excluded  them.  But  they  do  no  harm,  since  the  rules  of  the  system  prevent  the 
discharge  of  any  such  assumption.  Furthermore,  they  will  turn  out  to  be  useful  in 
practice,  since  undischarged  variables  may  be  thought  of  as  new  constants  added 
to  the  system.  But  if  such  assumptions  are  allowed,  then  it  is  no  longer  true  that 
anything  that  can  be  proved  to  be  in  Type  is  a  context  in  the  sense  of  Definition  4.4; 
it  might  convert  instead  to 

(Vx1:A1)...(Vx„:A„)xB1...Bm. 

If  we  allow  such  terms  to  be  contexts  in  a  generalized  sense,  then  different  assump¬ 
tions  can  result  in  the  same  formula  having  different  classifications  according  to 
Definition  4.11.  For  example,  let  Tj  be  x  :  Type  and  let  Tj  be  x  :  Prop;  then  y  :  x 
is  a  T i-proposition  and  a  IVproof.  Furthermore,  the  definition  of  well-formed  en¬ 
vironment  (Definition  4.3)  would  have  to  be  modified  to  allow  any  of  the  A,-  to  be 
a  supercontext.  (Definition  4.5,  of  a  well-formed  context,  would  then  have  to  differ 
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from  Definition  4.3,  since  none  of  the  A,-  of  a  standard  form  of  a  well-formed  context 
can  convert  to  a  supercontext.)  In  Definition  4.8,  it  is  necessary  to  specify  that  the 
rank  of  xB\ . . .  Bm  is  1  if  x  :  (Vxi  :  Ai) . . .  (Vxm  :  Am)Type  is  assumed  in  the  de¬ 
duction.  In  connection  with  Definition  4.10,  a  term  of  the  form  xB\ . . .  Bm,  where 
x  :  (Vxi  :  Ai)...(Vxm  :  Am)Type  assumed  in  the  deduction,  will  be  called  a  sim¬ 
ple  generalized  context.  Finally,  it  is  important  to  specify  that  no  substitutions  be 
made  for  variables  assumed  to  be  in  supercontexts;  they  must  behave  like  constants. 
In  what  follows,  we  shall  assume  that  these  modifications  have  been  made. 
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4.3  The  strong  normalization  theorem. 


It  might  appear  that  to  prove  the  normalization  theorem  it  is  sufficient  to  combine 
Theorem  4.10  with  a  similar  result  for  reduction  steps  whose  cut  formulas  are  not 
propositions.  But  this  fails  to  work,  for  on  the  one  hand,  such  a  reduction  step  may 
require  that  a  type  of  arbitrary  complexity  be  substituted  for  a  variable  that  is  part 
of  an  assumption  that  is  also  a  sentence,  and  on  the  other  hand,  a  reduction  step 
whose  cut  formula  is  a  proof  may  introduce  a  new  cut  formula  which  is  a  proposition 
and  whose  type  is  a  context  of  arbitrarily  high  degree. 

On  tbe  other  hand,  Theorem  4.10  is  of  help  in  proving  normalization,  for  it 
shows  (via  Lemma  4.3)  that  the  types  which  are  proved  to  be  in  Prop  can  be 
formed  from  the  simple  types  and  Prop  by  V  in  much  the  same  way  that  the  types 
of  TAP  are  formed  from  type  variables  by  the  type  constructors.  This  turns  out 
to  make  it  possible  to  adapt  a  proof  of  normalization  for  TAP  to  TAC.  The  proof 
we  have  chosen  to  adapt  is  a  proof  of  strong  normalization  due  to  Stenlund  [Ste72] 
§5.6.  However,  the  proof  needs  to  be  modified  in  much  the  way  that  the  proof  of 
[MarTla]  is  modified  in  [Mar73]. 


Convention  Let  V  be  a  deduction  whose  conclusion  is  Af  :  A,  where  A  =„  (Vzi  : 
Ai)... (Vz„  :  A„)B,  and  for  i  =  l,...,n,  let  V\  be  a  deduction  with  conclusion 
Mi :  A\ ,  where 

Ai  =  \M\  /%h  . . . ,  Mi—i/Xi—  i]A,'. 


Then 


V 

M  :  A 

{^1,  •  •  • 
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will  denote  the  deduction 


V 

M  :  A 

-  (Eq") 

M  :  (Vari  :  Ax) . . .  (Vx„  :  An)B 


Vx 

Mi  :  A[ 


MMx  :  [Mx/xx ](V*2  :  At) . . .  (Vxn  :  An)B 


(Ve) 


MMx... Mn-i  :  (Vxn  :  A'n)B' 


MMX . . .  Mn 


.  on 
•  > 


Vn 

Mn  :  A'n 

-  (Ve) 


where  B'  =  [Mx/xx, ..., Mn-x/xn-x]B  and  B"  =  [Mx/xx,. .  .,Mn/xn]B.  (If  n  =  0, 
then  it  will  denote  V  itself.) 


Definition  4.13  (Type  of  a  deduction)  If  V  is  a  deduction  whose  conclusion  is 
M  :  A,  then  A  is  called  the  type  of  V. 


Definition  4.14  (Strongly  normal  deduction)  A  deduction  V  is  said  to  be 
strongly  normal  (SN)  if  every  reduction  starting  with  V  terminates  in  a  normal 
deduction. 


Our  aim  is  to  prove  that  every  deduction  is  SN. 

Remark  In  the  proof,  we  will  be  making  important  use  of  the  classifications  in 
Definition  4.11.  We  will  also  be  discussing  a  number  of  deductions  at  the  same 
time.  It  will  be  important  that  each  formula  in  each  deduction  be  classified  the 
same  way  in  any  other  deduction  under  consideration.  For  this  purpose  we  will 
need  to  know  that  the  well-formed  environments  of  different  deductions  axe  all 
consistent  in  that  none  of  them  have  assumptions  assigning  different  types  to  the 
same  variable.  To  ensure  this  consistency,  we  will  assume  that  we  are  starting 
with  a  generalized  well-formed  environment  To  that  is  an  infinite  set  rather  than 
a  finite  sequence  of  assumptions.  All  well-formed  environments  actually  considered 
will  draw  their  assumptions  from  To,  and  no  variable  will  be  assigned  more  than 
one  type  in  IV  Furthermore,  we  shall  assume  that  any  finite  subset  of  To  can  be 
extended  to  a  larger  finite  subset  of  To  whose  elements  can  be  ordered  in  such  a 
way  that  it  is  a  well-formed  environment.  For  any  deduction  under  consideration, 
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we  shall  assume  that  its  discharged  assumptions  belong  to  To;  such  a  deduction 
will  be  called  lb-acceptable.  A  term  which  is  the  type  of  a  To-acceptable  deduction 
will  be  called  a  To* type.  We  shall  assume  that  any  term  is  a  To- type  which  can 
be  built  up  from  Prop,  Type,  and  the  simple  types  and  simple  generalized  contexts 
obtainable  from  assumptions  in  To.  (This  assumption  is  easy  to  satisfy;  if  we  start 
with  a  candidate  for  To  for  which  it  is  not  true,  we  extend  it  with  new  assumptions 
(for  new  variables),  and  we  keep  doing  this  until  there  are  enough  assumptions.)  A 
To-propoeition  variable  of  type  A,  where  A  is  a  context,  is  a  variable  x  such  that 
x  :  A  is  in  To-  And  finally,  a  r0-term  of  type  A  is  a  term  Af  such  that  Af  :  A  is 
provable  from  assumptions  in  To. 

Definition  4.15  (Ground  type  set)  A  set  S  of  IV acceptable  deductions  is  a 
grounded  type  set  (ground)  if  the  following  three  conditions  are  satisfied: 

(a)  Every  deduction  in  S  is  SN; 

(b)  If  is  a  part  of  a  deduction  obtained  from  a  deduction 

x  :  A 
Di(x) 

M  :  B 

by  substituting  N  for  x,  if  X>3  is  SN,  and  if 

Vz 

N:C 

- -  (Eq") 

N  :  A 

w 

[N/x]M  :  [N/x]B 

2V,...,2V 
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is  in  5,  then 


1 

[x-A] 

Vx{x)  V2 

M : B  A: k 

A x:A  .  M  :  (V*  :  A)B 
A x:A  .  M  i  (Vi  :  C)£ 


(V/c  i  -  1) 
(Eq") 


(A x:A.M)N  :  [JV/x]B 

is  also  in  5;  and 

(c)  If  X>i , . . . ,  Vn  are  SN,  and  if 


V3 

N  :  C 

-  (Ve) 


x  :  A 
{“Di,  •  •  • 

is  a  To-acceptable  deduction,  then  it  is  in  5.  A  ground  in  which  all  of  the  deductions 
have  a  given  type  A  will  be  called  a  ground  of  type  A. 

Examples  The  set  of  all  SN  To-acceptable  deductions  is  a  ground.  This  ground 
will  be  called  SN.  If  A  is  a  To-type,  then  the  set  of  all  To-acceptable  deductions  of 
type  A  is  a  ground  of  type  A;  it  is  called  SN^. 

Definition  4.16  (Proposition  term)  A  proposition  term  is  a  term  A  such  that 
A  :  B  is  a.  proposition.  A  proposition  term  which  is  also  a  variable  is  a  proposition 
variable.  If  B  =,  (Vxi  :  i?i)...(Vxn  :  Bn )  Prop,  then  terms  Mx,...,Mn  such  that 
for  *  =  1,2,. ..,n,  Mi  :  [i?i/xi,...,2?,-_i/xi_i]f?,-  can  be  proved  from  hypotheses 
from  To,  will  be  called  argument  terms  of  A.  If  n  =  0,  then  the  term  [variable]  is 
called  a  sentence  term  [sentence  variable].  (Note  that  if  A  is  a  proposition  term  and 
Mi,...,  Mn  axe  argument  terms  of  A,  then  AM\  . . .  Mn  :  Prop  can  be  proved  from 
assumptions  in  To.) 

For  the  next  definition,  we  need  to  recall  what  we  know  about  To- types.  We 
know  that  any  such  type  (except  a  supercontext)  can  be  proved  (from  assumptions 
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in  To)  to  be  in  Prop  or  in  Type,  and  that  a  deduction  proving  that  A  is  in  Prop  or 
Type  which  has  been  transformed  by  Theorem  2.5  can  end  with  an  inference  by  rule 
(Eq'/c).  If  we  take  such  a  deduction  which  is  c-normal  and  delete  this  last  inference, 
we  get  what  we  might  call  a  standard  form  of  A,  to  which  A  converts.  If  we  add  to 
these  standard  forms  the  standard  forms  of  the  supercontexts,  then  this  standard 
form  will  either  be  Prop,  Type,  a  simple  type,  a  simple  generalized  context,  or  else 
will  have  the  form  (Vx  :  B)C.  When  we  speak  of  making  a  definition  by  induction 
on  the  structure  of  a  type,  we  will  mean  by  induction  on  the  number  of  occurrences 
of  V  in  its  standard  form.  This  mirrors  the  construction  of  the  type  from  Prop 
and  the  simple  types  by  the  universal  type-forming  operator.  We  can  indicate  this 
induction  by  the  following  definition: 

Definition  4.17  (Rank  of  a  To-type)  The  rank  of  a  To-type  A,  rk(A),  is  defined 
as  follows: 

(a)  if  A  is  a  simple  type  or  a  simple  generalized  context,  rk(A)  =  0; 

(b)  rk(Prop)  =  rk(Type)  =  0; 

(c)  rk((Vx  :  A)B )  =  rk(A)  +  rk(B)  +  1;  and 

(d)  if  A  =.  B ,  then  rk(A)  =  rk(R). 

Definition  4.18  (Computability  predicate)  Let  M  be  a  r0-term  of  type  A.  By 
induction  on  rk(A),  a  computability  predicate  of  type  M,  denoted  p[M ]  is  defined  as 
follows: 

(a)  if  A  is  not  a  context,  .hen  p[M]  =  M\ 

(b)  if  A  =*  Prop  or  Type,  ;hen  p[M]  is  a  ground  of  type  AT;  and 

(c)  if  A  =,  (Vxj  :  Ai) . . .  (Vxn  :  A„)Prop,  then  p[M)  is  a  function  whose  arguments 
are  computability  predicates  p[Mi],  . . .  ,p[M„]  of  types  Afi, . . . ,  Afn,  where  each  Mi 
is  a  To-term  of  type  A,,  and  whose  value  is  a  ground  of  type  MM\  . . .  Mn. 

For  the  next  definition,  we  need  to  proceed  by  a  kind  of  induction  on  the  struc¬ 
ture  of  a  term.  For  this  induction,  we  need  to  note  that  if  a  term  A  is  not  a  IVproof, 
then  it  is  a  To-proposition  function,  a  To-context  function,  or  a  supercontext.  Thus, 
if  A  is  not  a  Fo-proof,  then  it  converts  to  Prop,  Type,  a  I'o-simple  type,  a  To-simple 
generalized  context,  (Vx  :  B)C  (where  B  is  neither  a  supercontext  nor  a  proof  and 
where  C  is  not  a  proof),  or  Ax  :  B  .  C  (where  B  is  neither  a  supercontext  nor 
a  proof  and  where  C  is  neither  a  supercontext  nor  a  proof).  Here  B  and  C  are 
essentially  simpler  than  A;  furthermore,  if  A  converts  to  a  simple  type  xM\ . . .  Mn, 
then  each  Mi  is  essentially  simpler  than  A.  This  justifies  the  following  definition  by 
induction  on  the  “structure  of  A”, 
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Definition  4.10  (Computability  object)  Let  A(xi,...,xn)  be  a  term  all  of 
whose  free  variables  which  are  not  assigned  to  supercontexts  in  To  occur  in  the 
list  xi,...,xn.  Let  Ai,...,An  be  lb-terms  of  the  types  of  xi,...,xn  respec¬ 
tively.  Let  p[Ai],...,p[An]  be  an  assignment  of  computability  functions  to  the 
terms  Ai, . . . ,  An.  Relative  to  this  assignment  we  shall  define  by  induction  on  the 
structure  of  A(xj , . . . ,  xn)  a  computability  object  C[A(xj , . . . ,  xn)]  (p[Ai], . . . , p[A„]), 
which  will  contain  deductions  of  type  A(Ai,...,An)  if  A(xi,...,xn)  is  a  Io-type. 
To  simplify  the  notation,  we  let  x  be  the  sequence  xi,...,xn,  A  the  sequence 
Ai, . . . ,  An,  and  p[A]  be  the  sequence  p[Ai], . . .  ,p[An]. 

(a)  if  A(x)  is  a  To- proof,  then  C[A(x)](p[A])  is  the  term  A(A)  itself; 

(b)  if  A(x)  =,  Prop,  Type,  or  a  IV simple  generalized  context,  then  C[A(x)](p[A])  = 
SNA(Ay 

(c)  if  A(x)  =*  XiM\(x) . . .  Mm(x)  and  is  neither  a  To-proof  nor  a  To-simple  gener¬ 
alized  context,  then  C[A(x)](p[A])  is  p[A,](C[Jlfx(®)](p[A]), . . . ,  C[Mm(x)](p[A]);9 

(d)  if  A(x)  =*  (Vx  :  B(x))C{x,x),  where  B(x)  is  not  a  context,  then  C[A(x)](p[A]) 
is  the  set  of  all  To-acceptable  deductions 


such  that  if 


V 

M  :  A(A) 


V 


is  in  C[5(*)](p[j4]),  then 


N  :  B(A) 


V 

M  :  A(A) 

-  (Eq") 

M  :  (Vx  :  B{A))C{x,A) 


MN  :  C(N,A), 


V 

N  :  B(A) 
-  (Ve) 


is  in  CtC'CW.aOKplA]);10 

(e)  if  A(x)  =,  (Vx  :  B(x))C(x,x )  where  B(x)  is  a  context,  then  C[A(x)](p[A])  is 
the  set  of  all  lb-acceptable  deductions 


V 

M  :  A(A) 
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such  that  if 


V 

E :  B(A ) 

is  in  C[B(x)](p[A])  and  if  p[E]  is  any  computability  predicate  assigned  to  E,  then 


V 

M  :  A(A) 

-  (Eq") 

M  :  (Vx  :  fl(A))C(x,A) 


ME:C(E,A ), 


V 

E  :  B(A) 
-  (Ve) 


is  in  C[C(x,  x)](p[£],p[A]);  and 

(f)  if  4(x)  =,  Ax  :  B(x).C(x,x)  and  is  not  a  IVproof,  then  C[A(x)](p[A])  is  a 
function  whose  argument  is  a  computability  function  of  type  A,  where  A  is  a  To-term 
of  type  B(A)  (the  type  of  x),  and  whose  values  are  given  by  (C[A(x)](p[A]))(p[A)) 

=  c[C(x,*)](P[xw^))). 


Lemma  4.4  (a)  If 


x  :  B 
{“Di, . . . » 


for  n  >  0  is  a  deduction  of  type  4(A),  and  if  V\,  ,  Vn  are  all  SN,  then 


x  :  B 

{Vi,...,Vn} 

®ThU  definition  makes  sense  only  if  C[A(x)](p[j4])  is  a  computability  predicate.  This  will  be 
proved  below  (Lemma  4.6). 

10In  case  (d),  note  that  since  B(x)  is  not  a  context  and  since  N  :  B(A),  C(N,  x)  must  have 
the  same  structure  (with  respect  to  the  construction  of  types)  as  C(x,  x).  The  division  into  cases 
between  (d)  and  (e)  is  precisely  the  distinction  between  terms  which  can,  after  substitution,  change 
the  structure  of  the  type  in  an  essential  way,  and  dealing  with  this  possible  change  is  one  of  the 
main  difficulties  of  the  proof.  Furthermore,  in  cases  (d)  and  (e)  of  this  definition,  we  are  assuming 
that  x  does  not  occur  free  in  A.  Since  x  does  not  occur  in  B(A),  this  is  immediate  for  those  A% 
which  actually  occur  in  3(A),  and  for  those  which  do  not  occur  in  C(z,A),  there  is  clearly  no 
problem.  For  those  A,  which  occur  in  C(z,  A)  but  not  in  3(A),  since  we  automatically  change 
bound  variables  to  avoid  clashes  when  we  carry  out  a  substitution,  the  fact  that  the  bound  variable 
is  z  implies  that  it  does  not  occur  free  in  these  A,. 
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is  in  C[A(x)](p[A]). 

(b)  Every  deduction  in  C[A(x)](p[A])  is  SN.11 

Proof  By  induction  on  the  structure  of  A{x).  Note  that  A(as)  is  not  a  To-proof 
and  does  not  convert  to  \x:B(x) .  C(x,x). 

Case  1.  A(x)  =.  Prop,  Type,  or  a  To-simple  generalized  context.  Since 

x  :  B 

{Z>lt. ..,£»} 

is  SN  whenever  V%,  . ..,  Vn  are  SN,  (a)  follows  by  Definition  4.19(b).  Part  (b) 
follows  immediately  by  Definition  4.19(b). 

Case  2.  A(x)  =,  X{M\ . . .  Mm  and  is  not  a  To-generalized  context.  Part  (a) 
holds  by  Definition  4.15(c)  and  Definitions  4.18  and  4.19(b).  Part  (b)  holds  by 
Definition  4.15(a)  and  Definitions  4.18  and  4.19(b). 

Case  3.  A(x)  =*  (Vx  :  B{x))C(x,x),  where  B{x)  is  not  a  context.  To  prove 
(a),  let 

V 

M  :  A(A) 

be  a  deduction  in  C[i4(x)](p[A])  and  let  x  :  B(A)  be  an  assumption  in  To  for  which 
x  does  not  occur  free  in  V.  (We  may  assume  without  loss  of  generality  that  the 
bound  variable  x  has  been  changed  if  necessary  to  assure  that  there  is  such  an 
assumption  in  To-)  By  the  induction  hypothesis  (a)  (with  n  =  0),  x  :  B(A)  is  in 
C[B(x)](p[j4]).  Hence,  by  Definition  4.19(d), 


V 

M  :  A(A) 

-  (Eq") 

M  :  (Vx  :  B{A))C{x,A) 


Mx  :  C(x,  A) 


x  :  B{A) 
-  (Ve) 


is  in  C[C(x,x)](p[A]).  Hence,  by  the  induction  hypothesis  (b),  this  deduction  is 
SN.  Hence,  V  is  SN. 

11  Cf.  Hindley  k.  Seldin  [HS86]  Theorem  A2.3,  Lemma  1. 
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To  prove  (b),  let 


y  :  E 

{^l>  •  •  •  »^n} 

be  a  r0-accep table  deduction  of  type  A(A)  where  V\, . . . ,  Vn  are  all  SN,  and  let 

V 

N  :  B(A ) 

be  in  C[fl(x)](p[A]).  By  the  induction  hypothesis  (b),  V  is  SN.  Hence,  by  the 
induction  hypothesis  (a), 

y:E 

{Vu...,Vn,V} 

is  in  C[C(N,x)](p[A]).  Hence,  by  Definition  4.19(d), 

y :  E 

is  in  C[A(x)](p[A]). 

Case  4 •  A(x)  =«  (Vx  :  B(x))C(x,x),  where  B(x)  is  a  context.  To  prove  (a),  let 

V 

M  :  A(A) 

be  in  C[A(x)](p[A]),  and  let  x  :  B(A)  be  an  assumption  in  To.  By  the  induction 
hypothesis  (a)  (with  n  =  0),  x  :  B(A)  is  in  C[B(x)](p[A]).  By  Definition  4.19(e), 

V 

M  :  A(A) 

- -  (Eqw) 

M  :  (Vx  :  B(A))C(x,A)  x  :  B(A) 

- — - (Ve) 

Afx  :  C(x,  A) 

i*  C[C(x,x)](p[x],p[A])  for  all  p[x].  By  the  induction  hypothesis  (b),  it  is  SN. 
Hence,  V  is  SN. 
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To  prove  (b),  let 


y  :  E 

{^l>  •  •  •  »^n} 

be  an  To-acceptable  deduction  of  type  A(A)  where  V\ , . . . ,  Vn  are  all  SN,  and  let 

V 

F  :  B(A) 

be  in  C[f?(x)](p[.A]).  By  the  induction  hypothesis  (b),  V  is  SN.  Hence,  by  the 
induction  hypothesis  (a), 

y  :  E 

{2?1, . . . 

is  in  C[C'(x,*)](p[ir],p[i4])  for  all  p[F].  Hence,  by  Definition  4.19(d), 

y :  E 

{2?1, . . .  ,2?n} 

is  in  C[i4(*)](p[A]).  ■ 

Lemma  4.5  If  V\(N)  is  a  part  of  a  deduction  obtained  from  a  deduction 

x:E 

2?i(i) 

M  :  B 

by  substituting  N  for  x,  if  V3  is  SN,  and  if 


V3 

N:C 


N  :  E 
VX(N) 

[N/x]M  :  [N/x]B 

{2V,....Dn'} 


(Eq") 


(4.6) 
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is  in  C[A(x)](p[A]),  then 


1 

[x:E] 

V\(x)  X>2 

M  :  B  E  :  k 

A x:E  .  M  :  (Var :  E)B  ^ **  '  ^ 

-  (Eq") 

A x:A  .  M  :  (Vi  :  C)B 


{Xx:A  :  M)N  :  [N/x]B 


N  :  C 

-  (Ve) 


(4.7) 


is  also  in  C[A(x)](p[A]).12 

Proof  By  induction  on  the  structure  of  A(x).  Again,  A(x)  is  not  a  To-proof  and 
does  not  convert  to  \x:B(x) .  C(z,  x). 

Case  1.  A(x)  =,  Prop,  Type,  or  a  To-simple  generalized  context.  The  lemma 
follows  from  Definition  4.19(b)  and  the  fact  that  (4.7)  is  SN  whenever  (4.6)  is  and 
the  hypotheses  of  the  lemma  are  satisfied. 

Case  2.  A(x)  =,  xxM\  ...Mm  and  is  not  a  T0- simple  generalized  context.  The 
lemma  holds  by  Definition  4.15(b)  and  Definition  4.19(c). 

Case  3.  A(x)  =.  (Vx  :  f?(sc))(7(x,x),  where  B(x)  is  not  a  context.  By  hypoth¬ 
esis,  (4.6)  is  in  C[A(x)](p[A]).  Let 


D 

P  :  B(A) 

13Cf.  Hindley  &c  Seldin  [HS86]  Theorem  A2.3  Lemma  2. 
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be  any  deduction  in  C[B(x)](p[A]).  Then  by  Definition  4.19(d)  we  have 

V3 

N:C 

-  (Eqw) 

N:E 

W 

[N/x]M  :  [N/x]B{Vi\ . . .  .X>»',  V) 
is  in  C [C(P,  x)](p[A]).  By  the  induction  hypothesis, 


1 


Ix-.B] 

T>i(x)  I>2 

M  :  B  E  :  k 

A x:E  .  M  :  (Vx  :  E)B 
A x:E  .  M  :  (Vx  :  C)B 


(VKi  -  1) 
M') 


(A x:E  :  M)iV  :  [N/x\B 


V3 

N:C 

-  (Ve) 


is  in  C[C(P,  x)](p[A]).  Hence,  by  Definition  4.19(d),  (4.7)  is  in  C[^4(x)](p[A]). 

Case  4-  A(x)  =,  (Vx  :  J3(x))C(x,x),  where  B(x)  is  a  context.  By  hypothesis, 
(4.6)  is  in  C[A(x)](p[Aj).  Let 

V 

F :  B(A) 


be  any  deduction  in  C[B(«)](p[A]),  and  let  p[F]  be  a  computability  function  for  F. 
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Then  by  Definition  4.19(e)  we  have 


?>3 

N:C 

-  (Eq") 

N  :E 

w 

[N/x]M  :  [JV/x]B 

{ZV,....Pn',2» 

is  in  C[C(x,a:)](p[.F],p[.A]).  By  the  induction  hypothesis, 

1 

[*:£] 

V\(x)  P2 

M:B  E:k 

A x:E  .  M  :  (Vx  :  £)B  ^  ^ 

-  (Eqw) 

Ax:£  .  M  :  (Vx  :  C)J9  JV  :  C7 

-  (Ve) 

(Xx:E  :  M)N  :  [JV/x]5 

{2>l',....2V,P} 

is  in  C[C(x,x)](p[F],p[A]).  Hence,  by  Definition  4.19(e),  (4.7)  is  in  C[A(x)](p[A]). 

■ 

Lemma  4.6  If  A(x)  and  p[A]  satisfy  the  hypothesis  of  Definition  4-19,  then 
C[/t(*)](p[A])  is  a  ground  for  each  term  A(A). 

Proof  Lemmas  4.4  and  4.5.  ■ 

The  following  lemma  makes  sense  because  of  Lemma  4.6. 

Lemma  4.7  (Substitution)  Let  x  be  a  variable  which  is  not  assigned  a  super con¬ 
text  as  a  type  by  To,  let  A(x,y)  be  any  To-type,  and  let  B(y)  be  a  term  which  can 
be  shown  from  To  to  have  the  same  type  as  x,  where  y  includes  all  variables  except 
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x  which  occur  free  and  which  are  not  assigned  supercontexts  as  types  by  To.  Let  C 
be  a  sequence  of  terms  of  the  same  types  as  the  variables  in  y  and  let  p[C ]  be  an 
assignment  of  computability  predicates  to  the  terms  in  C.  Then 

C[A(x,»)](C[fl(C)](p(C]),p[C])  =  C[A(fl(y),»)](p[C]). 

Proof  By  induction  first  on  the  rank  of  the  type  of  B{y )  and  second  on  the  struc¬ 
ture  of  A(z,  y).  For  simplicity,  let  p[B(C)]  abbreviate  C[2?(y)](p[C]).  (This  is  a 
computability  predicate  by  Lemma  4.6.) 

Case  1.  A{x,y)  is  a  IVproof.  Then  both  sides  are  A(B(C),C)  by  Defini¬ 
tion  4.19(a). 

In  the  remaining  cases,  we  may  assume  that  A(x,y)  is  not  a  To-proof. 

Case  2.  x  does  not  occur  free  in  A(x,y).  Then  the  lemma  is  trivial.  This  takes 
care  of  the  cases  in  which  A(x,y)  converts  to  Prop  or  Type. 

Case  3.  A(x,y)  =*  zM\  . . .  Afn,  a  simple  generalized  context.  Then  z  is  assigned 
a  supercontext  as  a  type  by  To  and  hence,  by  hypothesis,  is  distinct  from  z.  Then 
by  Definition  4.19(b),  each  side  consists  of  the  set  of  all  SN  deductions  of  type 
A(B(C),C). 

Case  4.  A(x,y )  =,  yMi(x,y) . . .  Mn(x,y),  where  y  ^  z  is  one  of  the  variables 
in  y,  and  C  is  the  term  in  C  corresponding  to  y.  Then 

C[A(*,y)]0>[i>(C)],p[C])  = 

p[q(C[Mi(*,y)1(p[fl(C)],p[Cl) . C  [M„(*,p))(p{fl(C)],p[C])), 

and  since  A(B(y),y)  =. 

C[A(5(y),y)Kp[C])  =  (p[C])(C[M1(fl(y),y)](p[C]) . C[M„(B(y),p)](p[C])). 

The  lemma  follows  by  the  induction  hypothesis. 

Case  5.  A(x,y)  =*  zAfi(z,y)...  Mp(x,y).  For  simplicity,  write  this  as  zJVf(z,y). 
Then  the  type  of  z  and  2?(y)  is 

(V*i  :E1)...(Vzp:Ep)G, 

where  G  is  either  Prop  or  a  To-simple  context  function,  and  so  B(y)  is  a  proposition 
function.  By  Definition  4.19(c), 

ClA(x,y)]0>[fl(C)l,p[C])  =  p[B(C)](C[M(x,y)MB(C)],plC])). 

By  the  induction  hypothesis,  the  right-hand  side  equals 

p[C](C[M(C,y)](p[C])), 
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which,  by  our  abbreviation  for  p[B(C)],  is 

C[B(n)l(l.[C])(C[M(B(»),s)l(p[CJ)). 

If  p  s  0,  we  are  finished,  since  A(B(y)ty)  =,  B(y)  and  M(B(y))  is  void,  so  this  is 
just 

C[A(B(»),»)](riC]), 

as  desired.  If  p  >  0,  then  we  have  the  following  subcases  according  to  Corol¬ 
lary  4.13.1: 

Subcase  5.1.  B(y)  =,  \zi:E\  .  . . .  Xzp:Ep  .  F(z,y),  where  z  is  the  sequence 
zi, . . . , zp.  By  Definition  4.19(f), 

ClB(y)](p[C}XC[MB(y),  »)](„[£?])) 
is 

C[fl(»  W(p[C],  C[MB(y),  »)l(p[C])). 

By  the  induction  hypothesis  on  the  type  of  B( y),  this  is 

C[B(»)M(B(»),y)](p[C)), 

and  since  A(B( y),y)  =,  B(y)M(B(y),y),  we  are  done. 

Subcase  5.2.  B(y)  =.  yiN\(y) . . .  Nq(y)t  which  we  may  as  well  abbreviate  as 
ViN{y)-  Then  A(B(y),y)  =,  ViN(y)M(B(y),y).  Now  by  Definition  4.19(c), 

C[fi(3/)](p[C])(C[MB(j,),y)](p[C])) 

P[C'i](C[lV(y)](p[C]))(C[MB(y),y)](p[C])), 
but  this  is  the  same  thing  as 

p(C,](C[lV(y)](p[C]),  C[Mfi(y),  y)](p[C])), 
and  by  Definition  4.19(c),  this  is 

C[A(£(y),y)](p[C]), 

as  desired. 

Case  6.  A(x ,  y )  =,  (Vz  :  E(x,  y))F(z,  x ,  y ),  where  E(x ,  y)  is  not  a  context.  By 
the  induction  hypothesis, 

<:[£(*, y)l(p[fl(C)],p[C1)  =  C[£(B(y),y)l(p[C]) 
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and,  for  any  term  N(y)  such  that  there  is  a  IV acceptable  deduction  ending  in 
K(C) :  E(B(C)\ 

C[F(Jr,I,»)](p(fl(C)],p{C])  =  C[F(»,S(S),y)J(p[C]). 

By  Definition  4.19(d),  the  lemma  follows. 

Case  7.  A{x,y )  =.  (Vz  :  E(x,y))F(z,x,y),  where  E(x,y)  is  a  context.  Similar 
to  Case  4  using  Definition  4.19(e).  ■ 


Notation  In  the  following  lemma,  *  will  denote  the  sequence  zi,...,xn,  y  the 
sequence  j/x, . . . ,  ym,  N  the  sequence  N\r. . . ,  Nn,  B  the  sequence  B\, ,  Bm,  and 
p[B ]  the  sequence  p[i?i], . . . ,  p[Bm].  Furthermore,  A'i+1 ,  for  i  =  0, 1, . . . ,  n  —  1,  will 
denote  [Ni/x x , . . . ,  iV,/xt].A,+i . 


Lemma  4.8  Let 

x\ :  i4x(j/),...,zn  :  An(y) 
V(xty) 

M(x,y) :  A(x,y) 


be  a  Vo-acceptable  deduction  all  of  whose  undischarged  assumptions  are  among 
those  shown,  where  y  consists  of  all  variables  which  occur  free  in  any  type  or  term 
which  are  not  assigned  supercontexts  as  types  by  IV  For  all  assignments  of  terms 
B\,...,Bm  to  yi,...,ym  ( where  for  each  i  =  1,2,. ..,m,  it  can  be  proved  from 
To  that  Bi  is  in  the  type  assigned  to  y,)  and  for  all  assignments  of  computability 
predicates  p[Bi],  p[Bm ]  to  i?x , . . .  ,Bm,  if  for  i  =  1 , 2, . . . ,  n,  the  Vo-acceptable 
deduction 


Vi 


Ni :  A'ifB) 


is  in  C[A,(y)](p[B]),  then 


V\  Vn 

N\ :  A\(B)  ,...,  Nn:A'n{B ) 
V(N,B) 

M(N,B):  A(N,B), 


(4.8) 


is  in  C[A(iV,y)](p{J3]).13 
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Proof  By  induction  on  structure  of  T>(x,y). 

Basis: 

Case  1.  T)(x,y)  consists  of  the  axiom  (P  T).  Since  this  deduction  is  clearly  SN, 
the  lemma  follows  by  Definition  4.19(b). 

Case  2.  V(x,y)  consists  of  the  assumption  xt- :  Ai(y).  The  lemma  is  immediate. 

Induction  step:  There  are  the  following  cases,  according  to  the  last  inference  in 
V(x,y). 

Case  1.  The  last  inference  is  by  (/c/c'Formation).  By  Definition  4.19(b),  it  is  suf¬ 
ficient  to  prove  that  (4.8)  is  SN.  By  the  induction  hypothesis  and  Definition  4.19(b), 
the  deductions  of  both  premises  are  SN.  Hence,  (4.8)  is  SN. 

Case  2.  The  last  inference  is  by  (Eq'fc).  Similar  to  Case  1. 

Case  3.  The  last  inference  is  by  (V  e).  Then  M(x,y)  s  M\(x,y)M2(x,y), 
A(x,y)  =  E(M2(  x,y),x,y), 
and  V{x,y)  is 

x\  :  Ax(y),...,xn  :  An(y)  *i :  Ax(y)t...,xn:  An{y) 

V\x,y)  V\x,y) 

Mi(x,y) :  (Vx  :  C(x,y))E{x,x,y)  M2(x,y) :  C{x,y) 

-  (Ve) 

Mx(x,y)M2(x,y)  :  E(M2(x,y),x,y). 

Subcase  3.1.  C(x,y)  is  not  a  context.  By  the  induction  hypothesis, 

Vx  Vn 

NX:A\{B)  ,...,  Nn:A'n{B) 

V\NyB) 

MX(N,B) :  (Vx  :  C(N,B))E(x,N,B) 
is  in  C[(Vx  :  C(iV,y))£(x,iV,3/)](p[B])  and 

Vi  Vn 

N\  :  A\(B)  ,...,  Nn:A'n(B ) 

V"(N,B) 

M2(N ,  B)  :  (N ,  B ), 

13Cf.  Hindley  &  Seldin  [HS86]  Theorem  A2.3  Lemma  3(b). 
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is  in  C[C(iV,  y)](p[B]).  Then  by  Definition  4.19(d),  (4.8)  is  in 
C[E(M2(N,y),N,y)}(p[B}). 

Subcase  3.2.  C(x,y)  is  a  context.  By  the  induction  hypothesis, 

2>i  Vn 

N^.A^B)  Nn:A'n(B) 

V(N,B) 

M\(N,B) :  (Vx  :  C(N,B))E(x,N,B) 
is  in  C[(Vx  :  C(N,y))E(x,N,y)](p[B])  and 


Vi  Vn 

N\  :  A[(B)  ,...,  Nn:A’n(B) 

V(N,B) 

M(N,B):A(N,B), 

is  in  C[C(iV,y)](p[i?]).  Then  by  Definition  4.19(e),  for  any  computability  predicate 
p[Af2(lV,B)],  (4.8)  is  in  C[£(x,iV,y)](p[M2(iV,B)],p[B]).  To  complete  the  proof, 
it  is  sufficient  to  find  a  computability  predicate  p[Jlf2(JV,y)]  such  that 

C[B(x,lV,y)](p[M2(A%B)],p[B])  =  C[£(M2(JV,y),fV,y)](p[B]).  (4.9) 

A  suitable  such  function  is  the  one  such  that 

p[M2(JV,B)]  =  C[M2(N,y)](p[B]). 

That  this  is  a  computability  predicate  follows  from  Definition  4.18  and  Lemma  4.6. 

That  (4.9)  holds  follows  from  Lemma  4.7. 

Case  4 •  The  last  inference  is  by  (V/ci).  Then  A(x,y)  =  (Vx  :  C(x,y))E(x,x,y ), 
M(x,y)  is  Ax:C(x,y) .  Afx(x,x,y),  and  Z?(x,y)  is 

1 

[x  :  C(x,  y)],  xi  :  Ax(y), . . . ,  xn  :  An(y)  xx  :  Ax(y), . . . ,  x„  :  A„(y) 

D'(x,x,y)  V"(x,y) 

Afx(x,x,y)  :E(x,x,y)  C(x,y):« 

-  (V«i-1) 

A x:C(x,y) .  Afx(x,x,y) :  (Vx  :  C(x,y))£(x,x,y) 
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Subcase  4-1-  C(x,y)  is  not  a  context.  Then  k  =  Prop.  By  the  induction  hypothesis, 
for  all  deductions 

V'" 


P :  C(N,B) 


in  C[C(N,y)](p[B\), 


P:C(N,B)  ,  N\  :  A[(B)  ...  Nn  :  A'n{B) 
V\P,N,B) 

Ml(P,N,B):E(P,N,B) 

is  in  C[E(P,N,y)](p[B]).  Hence,  by  Lemmas  4.4(b)  and  4.5, 

1  Vx  Vn  Vx  Vn 

[x:C*],  Nx  :  Ax,...,JVn  :  A*  Nx  :  AJ,. . . ,Nn  :  A* 

V'\x )  V"* 

M;(x) :  E\x)  C*  :  k 


Xx:C*  .  M?(x) :  (Vx  :  C*)£*(x) 


(V«i  -  1) 


P  :  C* 


(Ax: :  C *) .  Mf(x)P  :  £*(P)> 

where  =  A[(B),  Xm  =  X{N,B),  and  X*(y)  =  X{Y,NyB),  is  also  in 
C[E(P,  N ,y)](p[B]).  Since  V'"  is  arbitrary,  this  implies  by  Definition  4.19(e)  that 
(4.8)  is  in  C[4(JV,3/)](p[.B]). 

Subcase  4-2.  C(x,y)  is  a  context.  Then  k  =  Type.  By  the  induction  hypothesis, 
for  all  deductions 

V'" 

F :  C(N,  B) 

in  C[C(N,  j/)](p[B])  and  for  all  computability  predicates  p[F], 

V"  Vx  Vn 

F  :  C(N,B)  ,  Nx  :  AX(B)  ...  Nn  :  A'n{B) 

V\F,N,B) 

MX(F,N,B)  :  E(F,N,B) 
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is  in  C[B(x,  JV,y)](p[.F],p[B]).  Hence,  by  Lemmas  4.4(b)  and  4.5, 


1  l>i  2>n 

[x:C%  Nx:A{,...,Nn:A*n 

D-(x). 

M*(x) :  E*(x) 


Vx  Vn 

Nx:Al...,Nn:AZ 
V"* 

C *  :  K 


A x:C*  .  M{{x) :  (Vx  :  C*)J5*(x) 


(V#ei  -  1) 


Vm 
F :  C* 


(Ax: :  Cm) .  M^{x)F  :  E*(F), 


(Ve) 


where  Af ,  X*,  and  Af*(y)  are  as  in  Subcase  4.1,  is  also  in  C[B(x,fV,y)](p[.F],p[B]). 
Since  V"  and  p[F]  are  arbitrary,  this  implies  by  Definition  4.19(d)  that  (4.8)  is  in 
C  [A(N,y)](p[B]). 

Case  5.  The  last  inference  is  by  (Eq").  This  is  straightforward  by  Definition  4.19. 
Case  6.  The  last  inference  is  by  (=a).  This  is  trivial  by  Definition  4.19.  ■ 


Theorem  4.14  (Strong  normalization)  Every  deduction  in  TAC  is  strongly 
normal. 


Proof  In  Lemma  4.8,  let  consist  of  the  assumption  x,-  :  Ai(y)  and  let  Bj  be  yj. 
Then  for  any  sequence  p[B],  V(x,y)  is  in  C[A(  sc,  y)](p[B]),  and  so  is  SN.  ■ 
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4.4  Consequences  of  the  strong  normalization  theo¬ 
rem 

Although  we  have  proved  the  strong  normalization  theorem  for  deductions,  this 
theorem  is  usually  proved  for  terms.  We  saw  in  Theorem  2.2  and  Corollary  2.2.1 
that  for  TA,  the  normalization  theorem  for  terms  can  be  proved  from  the  strong 
normalization  theorem  for  deductions  by  using  the  subject-construction  theorem. 
We  do  not  have  this  theorem  for  TAC  in  a  form  that  is  easy  to  state.  Nevertheless, 
there  is  a  relationship  between  terms  and  deductions,  and  we  can  expect  to  use  this 
relationship  to  obtain  a  normalization  theorem  for  terms. 

Theorem  4.15  (Normalization  theorem  for  terms)  If  T  is  a  well-formed  en¬ 
vironment  and  if 

T  hiAC  M  :  A, 

then  M  has  a  normal  form. 

Proof  By  Theorem  4.14  there  is  a  normal  deduction  V  of 

r  l-TAC  N:A, 

where  MN.  The  proof  is  by  induction  on  the  deduction  V. 

Basis:  If  V  consists  of  an  assumption,  then  AT  is  a  variable,  and  so  it  is  in  normal 
form.  If  V  consists  of  the  axiom  (P  T),  then  N  is  Prop,  which  is  in  normal  form. 

Induction  step:  There  are  the  following  cases,  depending  on  the  last  inference 
in  V. 

Case  1.  The  last  inference  is  by  rule  (/^'Formation).  Then  A  is  k',  N  is 
(V*  :  B)C,  and  V  is 


1 

[z:P] 

V\  Viix) 

b  :  k  C  :  h! 

- k/c' Formation 

(V*  :  3)C  :  *' 

By  the  induction  hypothesis,  B  and  C  have  normal  forms;  hence,  so  does  A. 

Case  2.  The  last  inference  is  by  rule  (Eq'«).  Then  by  the  induction  hypothesis, 
N  converts  to  a  term  B  (to  the  left  of  the  colon  in  the  premise)  which  has  a  normal 
form. 
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Case  3.  The  last  inference  is  by  rule  (Ve).  Then  N  =  PQ ,  A  =  [Q/x]C,  and  V 


is 


V\  V2 

P:(Vx:B)C  Q:B 

-  (Ve) 

PQ  :  [Q/x]C. 


By  the  induction  hypothesis,  P  and  Q  have  normal  forms.  Furthermore,  since  V 
is  normal,  there  is  no  K-reduction  possible  in  it.  It  follows  that  at  the  top  of  the 
left  branch  of  T>  (and  hence  of  T>i)  is  an  undischarged  assumption.  It  follows  that 
P  =.  yQi . . .  Qm  for  some  variable  y.  It  follows  that  Q\, . . .  ,Qm  all  have  normal 
forms,  and  hence  that  PQ  =.  yQi . . .  QmQ  does  as  well. 

Case  4-  The  last  inference  is  by  rule  (VKi).  Then  A  =  (Vx  :  B)C,  N  =  A x:B  .  P, 
and  V  is 

1 

V\(x)  Vi 

P  :  C  B  :  k 

-  (Vici-i) 

A x:B  .  P  .  (Vx  :  B)C. 

By  the  induction  hypothesis,  B  and  P  have  normal  forms;  hence,  so  does 
N  =  A x:B  .  P. 

Cast  5.  The  last  inference  is  by  rule  (Eq").  Then  N  is  the  term  to  the  left  of 
the  colon  in  the  premise,  and  so  by  the  induction  hypothesis  it  has  a  normal  form. 

Case  6.  The  last  inference  is  by  rule  (=„).  Then  N  is  obtained  by  changes 
of  bound  variables  from  a  term  which,  by  the  induction  hypothesis,  has  a  normal 
form,  and  so  N  has  a  normal  form.  ■ 


Note  that  we  have  not  proved  that  every  term  is  SN.  If  we  try  to  replace  the 
conclusion  by  “JV  is  SN”  in  the  above  proof,  we  can  see  that  Case  2  breaks  down, 
since  not  every  term  convertible  to  an  SN  term  is  itself  SN.  Indeed,  if  A  is  SN,  and 
if  x  0  FV(v4),  then  for  any  terms  B  and  C,  (A x:B  .  A)C  =*  A ;  now  if  C  has  no 
normal  form,  then  (A x:B  .  A)C  is  not  SN.  This  shows  that  we  cannot  strengthen 
the  theorem  to  prove  that  N  is  SN.  (Of  course,  to  prove  that  M  is  SN  is  somewhat 
more  complicated;  we  will  take  this  up  below.) 

It  might  appear  that  since  only  Case  2  breaks  down,  and  since  the  conclusion 
in  this  case  is  not  a  proof,  we  might  want  to  add  the  assumption  that  N  :  A  is  a 
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proof.  This  will  exdude  Case  2.  But  now  we  have  trouble  with  Case  4:  we  can 
condude  that  P  is  SN,  but  not  that  B  is  SN.  Indeed,  by  the  remarks  of  the  previous 
paragraph,  B  might  not  be  SN. 

Mitchell  [Mit86]  defines  a  function  Erase  for  TAP  which  ddetes  the  types  of  the 
bound  variables.  When  this  function  is  modified  for  TAC,  it  is  defined  as  follows: 

Definition  4.20  (Erase  function) 

(a)  Erase(a )  =  a  if  a  is  a  constant  or  a  variable; 

(b)  Erase(MN)  =  Erase(M)Erase(N); 

(c)  Erase(\x:A  .  M )  =  Ax  .  Erase{M)\  and 

(d)  Erase((Vx  :  A)B)  s  (Vx  :  Erase(A))Erase(B). 

Note  that  except  for  clause  (d),  we  are  mapping  terms  of  TAC  to  pure  A- terms. 
In  fact,  the  range  of  the  function  Erase  is  the  set  of  TAG  terms  (Definition  2.17). 

We  can  now  prove  that  if  A  is  not  a  context  in  the  theorem,  then  Erase(N) 
is  SN.  To  extend  this  result  to  Erase(M),  it  is  enough  to  note  that  deductions  of 
proofs  do  follow  the  constructions  of  the  terms  except  that  additional  inferences  of 
formulas  which  are  not  proofs  are  added  at  various  places  on  top.  This  will  give  us 
the  following  result: 

Corollary  4.15.1  Under  the  hypotheses  of  Theorem  ^.15,  if  A  is  not  a  context, 
then  Erase(M)  is  strongly  normal. 

There  are  some  further  corollaries  that  follow  immediately  from  Theorem  4.15. 
These  corollaries  are  standard  consequences  of  normalization  theorems. 

Corollary  4.15.2  For  terms  M  and  N  such  that 


r  bpAC  Af  :  A, 


and 


r  1-tac  IV  :  A, 


where  T  is  a  well-formed  environment,  it  is  decidable  whether  or  not  M  =»  N. 

Corollary  4.15.3  For  a  terms  M  and  a  well-formed  environment  T,  it  is  decidable 
whether  or  not  there  is  a  term  A  such  that 


T  Htac  Af  •  A. 
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We  can  also  prove  a  partial  converse  to  Theorem  4.2,  relating  TAC  to  TAP. 
Recall14  that  the  interpretation  of  types  and  terms  of  TAP  as  terms  of  TAC  is  defined 
as  follows:  first,  we  divide  the  variables  of  TAC  into  two  mutually  disjoint  classes, 
the  first  for  interpreting  term  variables  of  TAP  and  the  second  for  interpreting  the 
type  variables.  Then,  for  a  term  or  type  A  of  TAP,  we  define  A *,  a  term  of  TAC, 
as  follows: 

(a)  if  x  is  a  term  variable,  then  x*  is  a  variable  of  the  first  class  distinct  from  all 
variables  y*  for  term  variables  y  distinct  from  x; 

(b)  if  a  is  a  type  variable,  then  a*  is  a  variable  of  the  second  class  distinct  from  all 
variables  6*  for  type  variables  b  distinct  from  a; 

(b)  (a  — *■  /3)*  is  (Vi :  a)*/3*  for  a  (term-)  variable  i  which  does  not  occur  free  in  a* 
or 

(c)  ((Va)a)*  is  (Va*  :  Prop)a*; 

(d)  ( MNY  is  M'N*] 

(e)  {Ma)*  is  M*a*; 

(f)  Ax:a  .  Af*  is  Ai*  :  a*  .  Af*;  and 

(g)  A a.Af*  is  Aa*  :  Prop  .  Af*. 

It  is  easy  to  show  that  if  a  is  any  type-scheme  of  TAP,  then  a*  is  in  normal  form, 
and  that  if  M  is  any  term  of  TAP  which  is  in  normal  form,  then  Af*  is  also  in 
normal  form.  Note  also  that  this  interpretation  takes  any  /^-contraction  of  TAP 
into  a  /3-contraction  of  TAC. 

Theorem  4.10  Let  T  be  a  sequence 

•  Ol,  ®2  ■  ^2j  •  •  •  >  •  O,, 

of  assumptions  in  TAP,  and  let  T*  be 

x\  :  aj,  x\  :aj,  ...»  *;  :  < 

Let  a  be  any  type  scheme  in  TAP,  let  ai,...,am  include  all  of  the  type  variables 
which  occur  free  in  a,  and  let  V  be 

a\  :  Prop, . . . ,  :  Prop. 

If  V  is  a  normal  deduction  in  TAC  of 

r,r/  H  M*  :  a*, 

14 Cf.  Hindley  tc  Seldin  [HS86]  Theorem  16.66 
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where  M  is  a  term  of  TAP,  then  there  is  a  normal  deduction  V'  in  TAP  of 

r  h  M  :a. 

Proof  Note  first  that  Lemmas  16.67  and  16.68  of  Hindley  &  Seldin  [HS86]  hold  for 
TAC  as  well  as  for  TAGL;  the  proofs  for  TAC  are  obtained  by  a  minor  change  in 
notation  from  those  for  TAGL. 

The  proof  is  by  induction  on  the  deduction  V.  Note  that  by  hypothesis,  V 
does  not  consist  of  axiom  (P  T),  and  its  last  inference  is  not  by  any  of  rules 
(/cic'Fonnation)  or  (Eq'/c).  Furthermore,  since  we  are  assuming  that  V  has  been 
transformed  according  to  Theorem  4.1,  we  may  assume  that  the  last  inference  is  not 
by  rule  (Eq,/).  For  the  types  of  the  assumptions  (both  discharged  and  undischarged) 
are  all  in  normal  form,  and  if  the  types  of  the  premises  of  any  rule  except  (Ve)  and 
(Eq,;)  are  in  normal  form,  then  so  is  the  type  of  the  conclusion.  With  regard  to 
inferences  in  V  by  rule  (Ve)  the  left  branch  above  each  such  inference  contains  in¬ 
ferences  only  by  the  same  rule  and  rule  (Eqw)  and  at  the  top  of  the  branch  is  an 
assumption  (since  V  is  normal);  and  it  is  not  hard  to  see  by  beginning  with  the 
assumption  that  because  the  type  of  the  left  premise  of  each  such  inference  by  rule 
(Ve)  is  /?*  for  some  TAP  type  scheme  /3,  so  is  the  type  of  the  conclusion.  It  follows 
that  each  of  these  types  is  in  normal  form,  and  so  there  is  no  inference  by  rule  (Eq") 
in  the  branch.  There  are  the  following  remaining  cases: 

Case  1.  T>  consists  of  an  assumption.  Then  M  is  x;,  a  is  a,-,  and  V  consists  of 
the  corresponding  assumption  in  TAP. 

Case  2.  The  last  inference  in  V  is  by  rule  (Ve).  Then  since  V  is  normal,  the 
only  inferences  which  occur  in  the  left  branch  are  by  rules  (Ve).  Furthermore,  M* 
is  in  normal  form.  Now  it  follows  from  this  that  M*  has  the  form  xM\ . . .  Mp, 
where  x  is  assigned  a  type  by  the  assumption  at  the  top  of  the  branch  (which  is 
not  discharged).  Hence,  x  is  one  of  the  x*.  By  the  definition  of  the  interpretation, 
it  follows  that  each  Mj  is  either  NJ  for  some  TAP  term  Nj,  in  which  case  the  type 
assigned  to  it  is  7*  for  some  TAP  type  scheme  7j,  or  else  some  /?j  for  some  TAP 
type  scheme  f3j,  in  which  case  the  type  assigned  to  it  is  Prop.  By  the  induction 
hypothesis,  there  is  a  normal  deduction  Vj  of  T  b  Nj  :  7 for  each  such  Nj,  and 
then  rules  (— ►  e)  and  (Ve)  of  TAP  can  be  used  to  obtain  V  from  the  assumption  x,- 
:  a,*  and  the  deductions  Vj. 

Case  3.  The  last  inference  in  V  is  by  rule  (VPi).  Then  a*  is  (Vx  :  B)C  and  Af* 
is  A x:B  .  N.  By  the  right  premise,  B  is  /3*  for  some  TAP  type  scheme  /?,  and  it 
follows  that  x  is  some  y*,  for  a  TAP  term  variable  y,  and  does  not  occur  free  in  C; 
furthermore,  C  is  7*  for  some  TAP  type  scheme  7.  In  addition,  N  is  P*  for  some 
TAP  term  P.  It  followsthat  if  the  last  inference  is  removed  from  V,  the  result  is  a 
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normal  deduction  V\  of 


r*,y*:/3*,r'  hTAC  P*  :  7*« 

By  the  induction  hypothesis,  there  is  a  normal  deduction  V\  of 

1-tap  P  '•  7> 

and  V  is  obtained  by  an  inference  by  rule  (—►  i). 

Case  4-  The  last  inference  in  V  is  by  rule  (VTi).  Then  a*  is  (Vx  :  B)C  and 
M *  is  Ax  :  B  .  N.  By  the  right  premise,  B  is  Prop.  Hence,  x  is  0*  for  a  TAP  type 
variable  a,  C  is  0*  for  some  TAP  type  scheme  /?,  and  N  is  P*  for  some  TAP  term 
P.  It  follows  that  if  the  last  inference  is  removed  from  V,  the  result  is  a  normal 
deduction  V\  of 

r*,  I*,  a*  :  Prop  hTAc 

By  the  induction  hypothesis,  there  is  a  normal  deduction  V\  of 

T  l"TAP  P  '• 

Since  a  is  (Va)/3,  V  follows  by  an  inference  by  rule  (Vi). 

Case  5.  The  last  inference  in  V  is  by  rule  (=„).  This  case  is  trivial  since  the 
same  rule  (essentially)  is  also  a  rule  of  TAP.  ■ 

Corollary  4.16.1  Under  the  hypotheses  of  the  theorem,  if  N  =.  M*  and  if 
A  =.  a*,  and  if 

r*,r;  l-TAC  N:A, 

then 

r  I~tap  Af  :  a. 
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4.5  The  theory  of  constructions:  sequent  formulation 

In  this  section  we  shall  consider  an  alternative  formulation  of  the  theory  of  con¬ 
structions.  It  is  a  variant  of  the  form  in  which  the  theory  was  originally  presented 
in  Coquand  [Coq85],  and  is  closer  to  the  presentation  in  other  papers  by  Coquand 
and  Huet  than  is  the  system  TAC. 

As  we  saw  in  the  last  section,  every  rule  which  discharges  an  assumption  of  the 
form  x  :  A  has  a  premise  not  depending  on  this  discharged  assumption  that  is  either 
A  :  Prop  or  A  :  Type.  If  we  wanted  to,  we  could  take  these  premises  as  justifications 
for  the  assumptions  instead  of  premises  for  the  rules;  this  is  the  approach  adopted 
by  Martin-Lof  in  his  work  (see  his  [Mar75],  [Mar82],  and  [Mar84]).  The  main  reason 
this  is  not  done  in  TAC  is  that  it  would  require  that  premise  to  be  written  above 
the  assumption,  and  then  the  assumptions  would  not  occur  at  the  tops  of  branches, 
an  inconvenience  for  the  theory  of  a  system  such  as  TAC.  But  for  the  form  of  the 
theory  of  constructions  presented  by  Coquand,  it  is  the  most  useful  approach. 

This  form  of  the  theory  of  constructions  is  what  is  known  as  a  sequent  calculus. 
A  sequent  is  an  expression  of  the  form 

r  E,  (4.10) 

where  T  is  a  (possibly  empty)  sequence  of  formulas  and  E  is  a  formula.  This  partic¬ 
ular  sequent  calculus  is  formulated  in  such  a  way  that  the  only  nonempty  sequences 
that  can  occur  to  the  left  of  the  turnstile  (the  symbol  ‘h’)  are  well-formed  envi¬ 
ronments.  This  will  make  unnecessary  the  premises  which  “justify”  the  discharged 
assumptions;  for  these  assumptions  will  all  occur  to  the  left  of  the  turnstile  in  the 
premises  of  the  rules  and  will  hence  be  part  of  well-formed  environments,  and  so 
these  premises  will  automatically  hold.  The  fact  that  T  is  a  well-formed  environment 
will  be  equivalent  to  the  derivability  of  the  sequent 

T  1-  Prop  :  Type. 


The  system  will  be  called  TACS. 

Note  that  until  the  equivalence  of  TAC  and  TACS  is  proved,  it  will  be  necessary 
to  specify  the  system  with  respect  to  which  an  environment  is  well-formed.  Until 
notice  to  the  contrary  is  given,  a  well- formed  environment  will  mean  with  respect 
to  TACS. 

Definition  4.21  (The  type  assignment  system  TACS)  The  system  TACS  is 
a  sequent  calculus;  its  sequents  are  of  the  form 

T  h  E,  (4.11) 


139  a 


where  T  is  a  sequence  of  TAC  formulas  and  E  is  a  TAC  formula.  The  system  has 
one  axiom: 

(P  T)  b  Prop  :  Type 

Its  rules  are  as  follows,  where,  in  each  case,  x  is  a  variable  which  does  not  occur 
free  in  T  or  in  A,  and  k  is  any  kind: 

I.  Well-formed  environments: 


Condition:  y  :  A  occurs 
in  T  and  y  does  not  oc¬ 
cur  free  in  A. 

IV.  Lambda  introduction: 

(Ai)  T,x:A\-M:B 

T  b  A x:A  .  M  :  (Vx  :  A)B , 

V.  Application: 

(Ve)  r  1-  M  :  (Vx  :  A)B  T  H  N  :  A 

T  b  MN  :  [N/x]B, 


(Pi)  r  b  A  :  k 

r,x  :  A  b  Prop  :  Type 

II.  Introduction  of  product: 

(Vi)  T,x:A\-B:k 

T  b  (Vx  :  A)B  :  k, 

III.  Introduction  of  a  variable: 

(Pe)  T  b  Prop  :  Type 

T  b  y  :  A, 
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VI.  Equality  rules: 
(Eq")  If  A  =,  B,  then 


T\~M:B 
r  h  M  :  A, 

(Eq'/c)  If  A  =m  B,  then 

T\-B:k 
Y  A:  k 

VII.  Changes  of  bound  variables: 

If  N  is  obtained  from  M  by  changes  of  bound  variables,  then: 
T  \-  M  :  A 

T\-N:A. 


We  shall  now  establish  the  equivalence  of  TACS  and  TAC: 

Lemma  4.9  If  T  ("tacs  E  for  any  formula  E,  and  if  is  any  initial  segment 
of  T  ( possibly  including  F  itself),  then  each  derivation  of  T  Ptacs  E  contains  a 
subderivation  of  T'  Htacs  Prop  :  Type. 

Proof  By  induction  on  the  derivation  of  T  brACS  E. 

Basis:  If  T  Ktacs  E  is  the  axiom  (P  T),  then  r'  is  empty,  and  the  result  is 
trivial. 

Induction  step:  We  assume  the  property  for  each  premise  of  a  rule  and  prove  it 
for  the  conclusion. 

If  the  sequence  to  the  left  of  h  in  the  conclusion  is  an  initial  segment  of  that 
of  at  least  one  premise,  this  is  trivial.  This  takes  care  of  all  rules  except  (Pi).  In 
this  case,  T  is  Ti,  A  :  Prop,  and  E  is  Prop  :  Type.  If  T7  is  all  of  T,  then  the  entire 
deduction  is  what  we  seek.  Otherwise,  T'  is  an  initial  segment  of  Tj,  and  the  result 
is  trivial  by  the  induction  hypothesis.  ■ 

Lemma  4.10  If  T  Htacs  Prop  :  Type,  then  Y  is  a  well-formed  environment. 

Proof  By  induction  on  the  pair  (n,m),  where  n  is  the  number  of  formulas  in  T  and 
m  is  the  length  of  the  derivation  of  T  Ptacs  Prop  :  Type. 
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Basis:  Trivial,  since  T  is  empty. 

Induction  step:  Assume  the  lemma  for  any  initial  subsequence  of  T,  and  suppose 
thst  r  is  IV  :  A.  By  the  induction  hypothesis,  T'  is  a  well-formed  environment. 
Now  the  only  rules  of  which 


T',  x  :  A  Htacs  Prop  :  Type 

can  be  the  conclusion  are  the  equality  rules  and  (Pi).  If  the  rule  is  an  equality  rule, 
then  by  Lemma  4.9  there  is  a  subderivation  of  the  derivation  of  the  premise  of  the 
inference  which  is  a  derivation  of 

r',x:  A  HTacs  Prop  :  Type 

and  so  the  conclusion  follows  by  the  induction  hypothesis;  if  the  rule  is  (Pi),  then 
it  follows  that  x  does  not  occur  free  in  T'  or  in  A  and  that 

T'  Htacs  A  :  k. 

Since  V  is  a  well  formed  environment,  this  implies  that  T  is  as  well.  ■ 

Lemma  4.11  If  T  Htacs  E,  then  Tis  a  well- formed  environment. 

Proof  Lemmas  4.9  and  4.10.  ■ 

Theorem  4.17  There  is  a  formula  E  such  that  T  Htacs  E  if  and  only  if  T  is  a 
well-formed  environment. 

Proof  The  “only  if”  part  is  Lemma  4.11.  The  “if”  part  is  easy  using  the  axiom 
and  rules  (Pi)  .  ■ 

We  are  now  in  a  position  to  prove  the  equivalence  between  TAC  and  TACS. 
Theorem  4.18  If 


T  Htacs  E, 

(4.12) 

r  Htac  e. 

(4.13) 

Proof  By  induction  on  the  derivation  of  (4.12). 

Basis:  (4.12)  is  axiom  (P  T).  Then  T  is  empty,  E  is  Prop  :  Type,  and  (4.13)  holds 
by  axiom  (P  T)  in  TAC. 

Induction  step:  The  cases  are  by  the  last  rule  used  in  the  derivation  of  (4.12). 
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Case  (Pi).  Trivial. 

Case  (Vi).  E  is  (Vx  :  A)B  :  k,  where  x  does  not  occur  free  in  A  or  T,  and  the 
premise  is 

T,x:A  I"tacs  B  :  k. 

By  the  induction  hypothesis, 

T,x :  A  1~tac  B  :  K. 

Furthermore,  by  Theorem  4.17,  T,x  :  A  is  a  well-formed  environment  (with  respect 
to  TACS).  This  means  that  the  derivation  of  (4.12)  includes  a  subderivation  of 

T  Htacs  a  '•  K>- 

Hence,  again  by  the  induction  hypothesis, 

r  I~tac  A  :  k‘. 

Hence,  (4.13)  follows  by  (fc/c'Formation). 

Case  (Pe).  Trivial  by  the  conventions  of  natural  deduction  systems. 

Case  (Ai).  Similar  to  Case  (Vi),  using  (V/ci). 

Case  (Ve).  E  is  MN  :  [N/x]B,  and  the  premises  are 

T  1“tacs  M  :  C  and  T  Ktacs  N  •  A, 

where  C  =,  (Vx  :  A)B.  By  the  induction  hypothesis 

r  I“tac  -W  i  C  and  T  I~tac  N  •  A. 

(4.13)  then  follows  by  rules  (Eq")  and  (V  e). 

Case  (Eq").  Trivial  by  rule  (Eq"). 

Case  (Eq'ic).  Trivial  by  rule  (Eq'/c). 

Case  (=<*)•  Trivial  by  rule  (=«).  ■ 

For  the  converse  we  have: 

Theorem  4.19  If  Tis  a  well-formed  environment,  and  i/ (4.13)  holds,  then  (4.12) 
holds. 

Proof  By  induction  on  the  proof  of  (4.13). 

Basis:  If  (4.13)  is  axiom  (P  T),  then  (4.12)  follows  by  axiom  (P  T). 

Induction  step:  The  cases  are  by  the  last  rule  in  the  deduction  of  (4.13). 
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Case  (/^'Formation).  (4.13)  is 

r  l-TAC  ((Vx  :  A))B  : 

where  x  does  not  occur  free  in  A  or  in  I\  The  premises  are 

r  Htac  A:k  and  T,z:A  I~tac  r  :  k'. 

Hence,  r,  x  :  A  is  a  well-formed  environment  (with  respect  to  TAC),  and  so  by  the 
induction  hypothesis 

T,x:A  l-TACS  r  :  k' . 

Hence,  (4.12)  follows  by  (Pi). 

Case  (V  e).  (4.13)  is 

r  Htac  MN  :  [N/x]B, 

where  the  premises  are 

r  Htac  M  :  (V*  :  A)B  and  T  hTAc  N  :  A. 

By  the  induction  hypothesis, 

r  Htacs  M  :  (Vx  :  A)B  and  T  Ptacs  N  •  A. 

Hence,  (4.12)  follows  by  rule  (V  e). 

Case  (Vici).  (4.13)  is 

r  F-tac  Ax:A  .  M  :  (Vx  :  A)B, 

where  the  premises  are 

r,x:A  F*tac  Af  :  T  and  T  Hxac  A  :  k, 

where  x  does  not  occur  free  in  A  or  in  T.  It  follows  that  T,  x  :  A  is  a  well-formed 
environment  with  respect  to  TAC,  and  so  by  the  induction  hypothesis, 

r,  x  :  A  Htacs  M  :  B. 

Hence,  (4.12)  follows  by  rule  (Ai). 

Cases  (Eq"),  (Eq'«),  and  (=«)•  Trivial  by  the  corresponding  rules  in  TACS.  ■ 

Theorem  4.20  A  necessary  and  sufficient  condition  that  (4.12)  hold  is  that  T  be  a 
well-formed  environment  (with  respect  to  TAC)  and  that  (4.13)  hold.16 
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Proof  Theorems  4.18  and  4.19.  ■ 

Corollary  4.20.1  An  environment  T  is  well-formed  with  respect  to  TAC  if  and 
only  if  it  is  well-formed  with  respect  to  TACS. 

For  this  reason,  we  shall  no  longer  specify  the  system  with  respect  to  which  an 
environment  is  well-formed. 

Remark  The  system  TACS  is  slightly  more  general  than  the  sequent  Version  of 
the  theory  of  constructions  presented  by  Coquand  and  Huet  in  that  its  equality 
rules  are  more  general.  To  obtain  a  natural  deduction  system  equivalent  to  Huet’s 
system,  the  rules  (Eq'/c)  must  be  deleted,  rule  (Eq")  must  be  replaced  by  the  two 
more  restricted  rules 

M  :  A  B  :  k  A=»  B 
M:B , 

and  rule  (=„)  must  be  generalized  to  allow  changes  of  bound  variables  in  both  parts 
of  a  formula  M  :  A.  The  corresponding  changes  in  TACS  include  introducing  equal¬ 
ity  rules  corresponding  to  those  given  above,  and  modifying  rule  (=a)  accordingly.16 


lsPottinger  [Pot 87]  proposes,  a  sequent  formulation  that  is  closer  to  TAC  than  is  TACS 
and  helps  to  emphasize  the  equivalence.  In  Pottinger’s  system,  which  he  calls  TOC  1, 
rules  (Pi)  and  (Vi)  are  replaced,  respectively,  by  Hyp  (Th  A  :  k  s>-  T,  *  :  A  I-  *  :  A)  and  Reit 
(r  h  £&!*,  FI-G^r,Ft-  E).  Pottinger  proves  that  TOC  1  is  equivalent  to  TACS  (which  he 
calls  TOC  2).  Since  Pottinger’s  TOC  1  is  a  sequent  version  of  TAC  in  the  style  of  Fitch  [Fit52], 
Pottinger’s  equivalence  result  can  be  considered  another  form  of  this  theorem. 

‘‘Pottinger’s  TOC  1  (see  the  previous  footnote)  actually  uses  this  more  restricted  version  of  the 
equality  rules. 
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Chapter  5 


REPRESENTING  LOGIC 
AND  MATHEMATICS  IN 
THE  THEORY  OF 
CONSTRUCTIONS 


It  is  now  time  to  show  that  the  theory  of  constructions  can  be  a  useful  basis  for  the 
ROMULUS  system,  and  to  show  that  we  can  represent  many  important  concepts 
from  logic  and  mathematics  in  the  theory. 

This  representation  has  actually  been  done  by  Coquand  and  Huet1.  However, 
their  presentation  consists  of  little  more  than  definitions  and  examples,  and  so  a 
number  of  people  have  doubted  the  power  of  the  theory.  Here,  in  addition  to  the 
important  definitions  and  examples,  we  shall  look  at  some  proof-theoretic  conse¬ 
quences  of  the  strong  normalization  theorem  to  show  that  these  concepts  behave 
the  way  we  want  them  to. 

We  begin  in  Section  5.1  with  the  representation  of  propositional  and  predicate 
logic  with  equality.  In  Section  5.2  we  discuss  the  addition  of  axioms  to  the  system 
and  how  this  might  affect  consistency.  Then,  in  the  remaining  sections,  we  take 
up  the  representation  of  arithmetic,  elementary  set  theory,  and  functions.  The 
representation  of  arithmetic  includes  the  axiom  of  mathematical  induction,  and 
it  can  thus  serve  as  a  model  for  the  representation  of  inductively  generated  free 
algebras.  As  an  example  of  this,  we  take  up  lists  (finite  sequences).  These  lists  axe 
useful  in  the  formulation  of  the  of  the  hook-up  security  property. 


‘See  [CH86],  [CH],  and  [Hue86],  chapters  11  and  12. 
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5.1  Representing  logic  with  equality 

.We  have  already  discussed  representing  the  connectives  and  quantifiers  of  logic  in 
TAP  (Section  2.4)  and  TAT  (Section  3.6).  Since  TAP  can  be  interpreted  in  the 
theory  of  constructions  (by  Theorem  4.2),  we  can  use  these  same  definitions.  It  will 
be  convenient  to  repeat  the  appropriate  definitions  here.  They  are  taken  practically 
word-for-word  from  Section  3.6,  but  a  notation  more  suggestive  of  logic  will  be  used. 

To  use  these  definitions,  we  need  the  arrow,  or  function-space,  type.  This  now 
becomes  the  implication  proposition  operator: 

Definition  6.1  (Implication  proposition  operator)  The  term  F  is  defined  as 
follows: 

F  s  Au:Prop  .  At>:Prop  .  (V®  :  tt)u. 


We  use  either  A-+B  or  AjBasan  abbreviation  for  FAB,  depending  on  the 
context. 

It  is  easy  to  show  that  — ►  satisfies  the  rules  (— ►  e)and  (— ►  i).  This  means,  of 
course,  that  D  satisfies  rules  (D  e)and  (D  i). 

Definition  5.2  (Cartesian  product  proposition)  The  conjunction  proposition 
operator  and  its  associated  pairing  and  projection  operators  are  defined  as  follows: 

(a)  A  =  Au:Prop  .  ArcProp  .  (Vw  :  Prop)((u  — ►  v  — ►  to)  — ►  to); 

(b)  D  =  AtcProp  .  Av:Prop  .  Xx:u  .  A y.v  .  Aur.Prop  .  A z\u  -*v-*w.  zxy ; 

(c)  fst  =  AtcProp  .  Av:Prop  .  Xx:Auv  .  xu(Xy:u  .  X r.v  .  y);  and 

(d)  snd  =  Au:Prop  .  Atr.Prop  .  Xx'Auv  .  xv(Xy.u  .  X z:v  .  z). 

We  use  A  A  B  as  an  abbreviation  for  A AB. 

It  is  not  at  all  difficult  to  prove  from  these  definitions  that  if  A  :  Prop  and  B  :  Prop 


DAB  :  A-+  B  -+  AaB, 


fst  AB  :  A  A  B  — *■  A, 


and 


sndAi? :  A  A  B  — *  B. 

Furthermore,  it  is  easy  to  see  that  if  Af  :  A  and  N  :  B,  then 


1stAB(DABMN)  =,  M 

and 

sndAB(DABMN)  =,  N. 
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Definition  5.3  (Disjunction  proposition  operator)  The  disjunction  proposi¬ 
tion  operator  and  its  associated  injection  and  case  operators  are  defined  as  follows: 

(a)  V  s  AtcProp  .  At>:Prop  .  ( Vw  :  Prop )((u  — ►  to)  — ►  (( v  — ►  to)  — *  to)); 

(b)  ini  =  Au:Prop  .  Av:Prop  .  Ax:u  .  Ats  :  Prop  .  A f:u  — ►  to  .  Xg:v  — *  to  .  /x; 

(c)  inr  =  Au:Prop  .  AwProp  .  Xy.v  .  Ato:Prop  .  Xf:u  — » to  .  X g:v  — ►  to  .  gy ;  and 

(d)  case  =  AurProp  .  AwProp  .  Az:Vut; .  Aur.Prop  .  A f:u  — ►  to  .  X g:v  — ►  to  .  zwfg. 

We  use  A  V  B  as  an  abbreviation  for  VAB. 

It  is  easy  to  show  that  if  A  :  Prop  and  B  :  Prop,  then 

ini  AB  :  A-*  AW  B, 

inr AB  :  B  — *•  A  W  23, 

and 

cas eAB  :  A  V  B  — ► (Vio  :  Prop)((A  — ►  to)  — ►  (( B  -md)-»  to)). 

Furthermore,  it  is  easy  to  show  that  if  C  :  Prop,  M  :  A,  N  :  B,  F  :  A-*  C,  and 
G  :  B  -+C,  then 

caseAB(MABM)CFG  =,  FM 

and 

caseAB(inrABN)CFG  =«  GN. 

Definition  5.4  (False  proposition)  J.  =  (Vx  :  Prop)x. 

With  regard  to  the  existential  quantifier,  we  are  now  in  a  position  to  remove  an 
anomaly  from  Definition  3.16.  For  we  now  have  the  machinery  to  refer  to  functions 
whose  values  are  types. 

Definition  5.5  (Existential  quantifier)  The  existential  quantifier  proposition 
operator  and  its  associated  pairing  and  projection  functions  are  defined  as  follows: 

(a)  Z  s  Au:Prop  .  Xv:u  -*  Prop  .  (Vw  :  Prop)((Vx  :  u)(ox  — ►  w)  — »  to); 

(b)  D'  =  Au:Prop  .  Atr.u  -♦  Prop  .  Ax:u  .  Xy.vx  .  Ato:Prop  .  A z:(Vx  :  u)(ux  — *  to) .  zxy\ 
and 

(c)  proj  s  AtcProp  .  At r.u  — ►  Prop  .  Ato:Prop  .  A x:(Vx  :  u)(vx  w)  .  Ay:(Vx  :  u)vx  . 

ywz. 

We  use  (3x  :  A)B  as  an  abbreviation  for  ZA(Axvl .  B). 
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It  not  hard  to  show  that  if  A  :  Prop  and  B  :A~*  Prop,  then 

(3x  :  A)B  :  Prop, 

D'AB  :  (Vti :  A)(Bu  D  (3s  :  A)(Bx)), 
and 

projAB  :  (Vs  :  A)((Vt it :  A)(Vv  :  Bu)x  D  (3tt> :  A)(Bti>)  D  x). 

Furthermore,  if  in  addition  C  :  Prop,  M  :  A,  N  :  BAf,  and  Z  :  (Vu  :  A)(Bu  — ►  C), 
then 

projABCZ(D'ABMN)  =.  ZAfW. 

Note  that  D'  differs  from  0  only  in  the  types  postulated  for  some  of  the  bound 
variables.  But  this  difference  is  enough  to  make  it  impossible  to  define  a  right 
projection  for  D'  that  is  correctly  typed2. 

We  can  also  define  equality  over  any  type: 

Definition  5.6  (Equality  proposition)  The  equality  proposition 

Af  -a  N, 

where  A  is  assigned  type  Prop,  is  defined  to  be 

Q  AMN, 


where 

Q  =  Au:Prop  .  Asm  .  Aym  .  (Vs  :  u  — *•  Prop )(zx  D  zy). 

It  is  not  hard  to  show  that  if  A  :  Prop  and  X  :  A,  then 
A r.A  Prop  .  Xu :zX  .u:X=j(X, 

and  that  if  in  addition  Y  :  A,  M  :  X  =aY,  Z  :  A-+  Prop,  and  N  :  ZX,  then 

MZN  :  ZY. 

This  gives  us  the  reflexive  law  of  the  equality  proposition  and  the  substitution 
property;  these  two  properties  are  well  known  to  imply  all  the  usual  properties  of 
equality. 

It  is  not  hard  to  see  from  this  that  we  have  all  the  usual  properties  of  constructive 
predicate  logic  with  equality. 

JOn  this  point,  see  [Cu86].  Of  coarse,  fst  works  as  a  left  projection  function  for  D'. 
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We  can  also  interpret  classical  logic.  One  interpretation3  is  based  on  the  follow¬ 
ing  easily  proved  facts  about  intuitionistic  logic: 

t-  -i  “i -i A  D  -i A, 

-i-i A  D  A,  -i-i J3  D  5  (-  ->-i(A  A  B)  D  (A  A  J?), 

and 

-i-iA(x)  D  A(x)  h  -n(Vx)A(x)  D  (Vx)A(x). 

Results  corresponding  to  these  can  easily  be  proved  in  the  theory  of  constructions. 
This  means  that  for  formulas  A  which  are  classical,  that  is  for  which  I — nA  D  A, 
the  logic  is  classical.  Furthermore,  all  negative  formulas  are  classical  and  both  A 
and  V  preserve  classical  formulas.  For  other  classical  connectives  and  the  existential 
quantifier,  we  can  use  their  familiar  classical  properties  to  define  them: 

A  Dc  B  =  -i (A  A  -i B), 

AVCB  =  -i(-iA  A  ->B), 

and 

(3cx  :  A)B  s  -t(Vx  :  A)-i£. 

Since  these  are  all  negative  formulas,  they  are  all  classical. 

It  is  not  hard  to  prove  that  if  A  is  classical  (in  a  well-formed  environment  T), 
then  there  is  a  term  M  all  of  whose  free  variables  are  assigned  types  in  T  such  that 

r  1-tac  M:-iAVcA. 

If  this  method  of  representing  classical  logic  is  used  in  any  “applied”  theory, 
then  it  is  necessary  to  be  certain  that 


-i-i  15  D  E 

# 

is  provable  for  each  formula  E  corresponding  to  an  atomic  formula  in  ordinary  first 
order  lope.  To  assure  this,  it  may  well  be  necessary  to  take  these  formulas  as  new 
axioms. 

A  second  method  of  interpreting  classical  logic  is  as  follows:  define 

Bool  =  (Vu  :  Prop)(ti  — ►  ti  — *•  u), 

3 See  [CH]  $3.3,  where  this  is  done  for  propositional  logic. 
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T  =  Xu  :  Prop  .  Xx  :  u  .  Xy  :  u . x, 

and 

F  =  Au  :  Prop  .  Xx  :  u  .  Ay  :  u  .  y. 

Here,  Bool  represents  the  boolean  type  familiar  from  the  usual  programming  lan¬ 
guages,  and  T  and  F  for  the  familiar  truth  values.  The  familiar  if  ...  then  . . . 
else  operator  is  defined  as  follows: 

Cond  =  Xu  :  Prop  .  Av  :  Bool .  Xx  :u  .  Xy  :u  .  vuxy. 


It  is  easy  to  prove  that  T:Booi  and  F:Bool  and,  if  A  is  any  type  in  Prop  and  M  :  A 
and  N  :  A,  then 

CondATMJV  =.  M 


and 


CondAFAfJV  =,  N. 


The  propositional  connectives  familiar  to  most  programmers  can  now  be  defined: 


-ijk  =  A®  :  Bool .  Cond  Bool  x  F  T, 


Afc  =  A®  :  Bool .  -i*®  Bool  F, 


and 


V*  =  A®  :  Bool .  ®  Bool  T. 
It  is  then  easy  to  prove  the  following: 


ijfeT  =.  F 
AfcTT  =.  T 
A*  FT  =.  F 
V*TT  =.  T 
VfcFT  =.  T 


~»jfeF  =.  T 
AfeTF  =.  F 
A*FF  =.  F 
VfcTF  =.  T 
V*FF  =*  F 


We  can  then  get  implication  as  usual  by  defining 

Dfc  =  A®  :  Bool .  Xy  :  Bool .  -i*(®  A*  ->*y), 

and  its  usual  truth  table  properties  will  follow. 

In  this  formulation  of  classical  logic,  a  proof  of  a  proposition  A  is  not  a  term 
with  that  proposition  as  its  type,  but  rather  a  term  with  the  type  A  =boo<  T.  Thus, 
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unlike  the  first  interpretation  of  constructive  logic,  this  interpretation  is  based  on  a 
different  set  of  terms  to  represent  the  propositions.  In  fact,  it  is  based  on  the  idea4 
that  there  are  only  two  propositions,  T  and  F. 

Extending  this  second  interpretation  to  quantifier  logic  is  a  bit  complicated.  The 
obvious  way  to  proceed  is  to  assume  that  we  have  a  propositional  function  A  over 
some  domain  D,  which  is  a  type.  In  this  case,  this  means  that  A:  D -*  Bool.  We 
would  want  (Vfcx  :  D)(Ax)  to  be  T  if  and  only  if  AM  is  T  for  every  M  :  D  and  to 
be  F  otherwise;  but  this  specification  assumes  classical  logic,  whereas  the  type 

(Vx  :  D)(Az  =boo.  T) 

is  treated  constructively  by  TAC,  and  in  general  there  is  no  term  with  the  type 

(Vx  :  D)(Ax  =Booi  T)  V  (3x  :  D)(Ax  =Bod  F). 

One  possible  solution  is  to  use  the  first  interpretation  of  classical  logic,  and  replace 
3  by  3e.  But  this  will  only  work  if  D  is  a  type  for  which  there  is  a  term  of  type 

(Vx  :  D)(i-iAx  =Booi  T  D.  Ax  =Bod  T). 


A  third  possible  method  of  interpreting  classical  logic  is  to  add  a  new  axiom  by 
assigning  to  an  atomic  constant  the  type 

(Vu  :  Prop)(-iu  V  u).5 

We  will  have  more  to  say  about  this  in  Section  5.2. 


4  Origin  Ally  due  to  Frege. 

*We  could  equally  well  use  the  formula  (V» :  Prop)(->->»  D  u). 
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5.2  Adding  axioms  to  the  theory  of  constructions 

As  we  have  seen,  when  logic  is  represented  in  the  theory  of  constructions,  the 
formulas  are  all  represented  by  types  in  Prop;  the  terms  in  these  types  will  represent 
proofs.  One  consequence  of  this  is  that  assuming  a  new  axiom  A  will  mean  taking 
a  new  atomic  constant  c  and  adding  c:  A  as  a  new  assumption  to  the  environment. 

Now  the  way  we  have  proved  the  strong  normalization  theorem  in  Chapter  4 
guarantees  that  such  constants  can  be  added  without  interfering  with  the  proof  of 
the  theorem  provided  that  these  new  constants  do  not  occur  at  the  heads  of  new 
redexes.  But  this  is  just  the  way  new  axioms  are  added.  Thus,  adding  new  axioms 
does  not  have  any  effect  on  the  strong  normalization  theorem. 

But  adding  new  axioms  may  well  affect  the  consistency  of  the  system.  Suppose, 
for  example,  we  assume  c  :  X.  This  amounts  to  assuming  as  an  axiom  X,  i.e.,  to 
assuming  the  inconsistency  of  the  system.  This  is  one  way  in  which  the  theory 
of  constructions  differs  from  the  second  order  polymorphic  typed  A-calculus:  in 
the  latter,  Theorem  2.4  shows  that  the  strong  normalization  theorem  implies  both 
the  consistency  of  the  entire  system  and  of  any  set  of  assumptions6,  whereas  in 
the  former,  as  we  have  seen,  the  strong  normalization  theorem  does  not  imply  the 
consistency  of  all  sets  of  assumptions. 

The  strong  normalization  theorem  does,  however,  imply  the  consistency  of  the 
empty  environment,  and  thus  of  the  system  TAC  itself: 

Theorem  5.1  (Consistency  of  TAC)  There  is  no  closed  term  M  such  that 

l-TAC  M  :  X. 

Proof  Similar  to  the  proof  of  Theorem  2.4.  ■ 

Note  that  this  proves  the  consistency  of  the  higher-order  constructive  and  clas¬ 
sical  logic  of  the  previous  section. 

Although  the  strong  normalization  theorem  does  not  imply  the  consistency  of 
all  sets  of  assumptions,  it  does  imply  the  consistency  of  some  particular  sets  of 
assumptions.  For  example,  suppose  T  is 

x\  :  -iAi,Z2  :  ->i42,...,xn  :  iAn, 

where  -> A  is  defined  to  be  A  D  X.  To  show  that  T  is  consistent  it  is  sufficient  to 
show  that  there  is  no  closed  term  M  for  which 

T  l-TAC  M  :  Ai 

*Of  conne,  if  we  allowed  new  constants  in  TAP,  we  would  get  the  same  sort  of  possibilities  for 
inconsistency  that  we  have  in  the  theory  of  constructions. 
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for  any  i.  As  an  example,  let  us  prove  that  negations  of  equations  between  terms 
with  distinct  normal  forms  are  consistent  if  there  sire  no  other  assumptions. 


Theorem  5.2  (Q-consistency7)  Let  T  be  a  set  of  assumptions  in  which  each  for¬ 
mula  assigns  to  arm  (distinct)  constant  a  type  which  converts  to  the  form  ->P  —a  Q 
for  terms  P  and  Q  of  type  A  with  distinct  normal  forms.  Suppose  that  there  is  a 
closed  term  R  such  that 

T  l-TAC  R  :  M  =a  N . 


Then 


M  =,  N. 


Proof  Let  I)  be  a  deduction  in  normal  form  of 

T  Htac  R:  M  =a  N. 

We  proceed  by  induction  on  the  structure  of  V.  Thus,  we  may  suppose  as  part  of 
the  induction  hypothesis  that  the  theorem  holds  for  any  proper  subdeduction  of  Z>. 
Suppose  that  the  last  inference  in  V  (except  for  equality  rules)  is  by  (V  e).  Because 
V  is  normal,  the  only  inferences  in  the  left  branch  of  V  are  (V  e)  and  (Eq").  Consider 
the  formula  at  the  top  of  the  left  branch  of  V.  Because  of  the  form  of  V  and  of  the 
rules  of  TAC,  this  formula  is  not  a  discharged  assumption.  If  it  is  an  undischarged 
assumption,  then  the  term  of  that  formula  to  which  the  type  is  assigned  is  a  variable 
x,  and  R  =,  xRiR^  ...Rn,  contradicting  the  assumption  that  R  is  closed.  If  it  is 
a  formula  of  T,  then  the  deduction  of  the  minor  (right)  premise  for  the  inference 
by  (V  e)  of  which  the  formula  in  question  is  the  major  (left)  premise  is  a  proper 
subdeduction  of  V  whose  conclusion  has  the  form  S  :  P  =a  Q  for  a  closed  term  5 
and  terms  P  and  Q  with  distinct  normal  forms,  contradicting  the  assumption  that 
the  theorem  holds  for  any  proper  subdeduction  of  V.  Hence,  the  last  non-equality 
inference  in  V  is  not  by  (V  e). 

Since 

M  =a  N  =,  (Vz  :  A-*  Prop)(zAf  D  zN), 

it  follows  that  that  last  non-equality  inference  is  by  (VTi),  R=  Xz  :  A  -*  Prop  .  P, 
and  V  has  the  form8 

rThis  term  is  due  to  Curry;  see  [CF58]  §8E3,  p.  270. 

*Possibly  modulo  some  manipulations  involving  rules  (Eq'P),  (Eq'T),  and  (Eq");  we  will  not 
bother  to  mention  this  fact  again  in  what  follows. 
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1 

[z  :  A  — ►  Prop] 

V\(z)  Pr°P :  Type  A :  Prop 

-  (Ve) 

P  :  zM  D  zN  A-*  Prop  :  Type 

-  (VJi-i) 

Xz  :  A  — ►  Prop  .  P  :  (Vz  :  A  ►  Prop ){zM  D  zN), 

where  z  is  a  variable  which  does  not  occur  free  in  T,  AT,  or  N.  An  argument  similar 
to  the  above  argument  for  V  shows  that  the  last  non-eq  inference  in  V\  (z)  is  not  by 
(V  e),  provided  that  at  the  end  of  the  argument  we  note  that  although  z  may  occur 
free  in  P,  since  z  does  not  occur  free  in  T  it  can  only  occur  free  in  the  discharged 
assumption,  and  the  type  assigned  to  z  by  that  assumption  makes  it  impossible  for 
it  to  occur  at  the  top  of  the  left  branch  in  V\  (z).  Hence,  the  last  non-eq  inference 
in  V\  (z)  is  by  rule  (VPi),  P  =„  Xw  :  zM  .  Q,  and  V\  (2)  has  the  form 


2 

[u> :  zM] 
V2(w) 
Q  :  zN 


z  :  A—*  Prop  M  :  A 
zM  :  Prop 


(-e) 


Xw  :  zM  .  Q  :  zM  D  zN , 


(VPi  -  2) 


where  to  is  a  variable  distinct  from  z  which  does  not  occur  free  in  T,  M,  or  N.  By 
an  argument  similar  to  that  above,  the  last  inference  in  Z>2(to)  is  not  by  rule  (V  e). 
Furthermore,  any  deduction  of  Q  :  zN  must  use  the  hypothesis  to  :  zM.  Since 
X>a(to)  is  normal  and  zM  and  zN  are  simple  types,  it  is  not  hard  to  see  that  the 
only  rule  that  can  occur  in  V2(w)  is  (Eq"),  from  which  it  follows  that  Q  =  to  and, 
more  important,  M  =*  N.  M 


Corollary  5.2.1  If  T  is  as  in  the  theorem,  then  it  is  consistent;  i.e.,  there  is  no 
closed  term  S  such  that 

r  biAC  S  :  -L. 

This  theorem  can  be  generalized  somewhat.  For  example,  if  the  types  of  the 
variables  are  suitably  restricted  to  prevent  substitution  instances  of  P  and  Q  which 
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are  convertible  to  each  other,  it  is  presumably  possible  to  prove  a  version  of  the  theo¬ 
rem  for  universally  quantified  inequalities  or  for  implications  whose  consequents  are 
inequalities.  Furthermore,  as  we  shall  see  in  the  next  section,  it  is  possible  to  prove 
a  similar  theorem  for  a  universally  quantified  inequality  together  with  a  universally 
quantified  implication  between  equalities  in  which  it  can  be  shown  that  if  the  terms 
in  the  antecedent  have  distinct  normal  forms,  then  so  do  the  terms  in  the  consequent. 

At  the  end  of  Section  5.1,  we  noted  that  we  can  obtain  classical  logic  by  taking 
(Vu  :  Prop)(-i«  V  u)  as  a  new  axiom;  i.e.,  by  assuming 

c  :  (Vu  :  Prop)(-iu  V  tt), 9 

for  an  atomic  constant  c.  We  need  some  evidence  that  adding  this  assumption 
does  not  introduce  inconsistency.  Of  course,  if  we  start  with  assumptions  which 
are  inconsistent  with  the  law  of  the  excluded  middle,  then  adding  this  assumption 
will  lead  to  a  contradiction.  But  in  most  known  systems  without  such  assumptions, 
the  consistency  of  the  constructive  version  of  the  system  is  well-known  to  imply  the 
consistency  of  the  classical  version.  This  makes  it  likely  that  adding  this  assump¬ 
tion  to  most  consistent  well-formed  environments10  will  not  make  the  environment 
inconsistent. 

Remark  We  have  looked  here  at  adding  constants  that  do  not  head  redexes.  In 
general,  when  we  want  a  new  r'edex,  we  define  a  closed  term  that  can  be  shown 
by  an  ordinary  /3-reduction  to  head  the  required  redex.  This  does  not  mean  that 
using  such  a  definition  is  the  most  efficient  way  to  implement  the  system.  It  does, 
however,  show  that  adding  the  new  constant  and  reduction  rule  will  not  upset  the 
strong  normalization  theorem,  since  any  infinite  reduction  using  the  new  constant 
and  reduction  rule  will  imply  the  existence  of  an  infinite  reduction  from  ordinary 
/3-reduction  using  the  closed  term  which  can  be  shown  to  have  the  same  reduction 
rule. 


®Or,  equally  well,  c  :  (Vu  :  Prop)(->-iu  D  u). 
10Which  do  not  assign  a  type  to  c. 
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5.3  Representing  arithmetic 

As  we  saw  in  Section  2.4,  we  can  easily  represent  the  natural  numbers  in  TAP.  If 
this  definition  is  modified  for  TAC,  it  becomes  the  following: 

Definition  5.7  (Natural  number  type) 

(a)  N  =  (VA  :  Prop)((A  -A) -(A- A)); 

(b)  0  =  AA:Prop  .  As: A  -*•  A  .  A y.A  .  y; 

(c)  a  =  AikN  .  A  A  :  Prop  .  A  x:A  -♦  A  .  A  y:A  .  x(uAxy); 

(d)  w  =  Au:N  .  sndN,N(u(N  x  N)  Q(DN)N00)), 

where  Q  =  Xv  :  N  x  N  .  DNlN(o,(fstN,Nv))(fstNlNt;);  and 

(e)  R  =  AA  :  Prop  .  A x:A  .  Ay:N  — *  A  -*■  A  .  As:N  .  z(N  A)P( \w  :  N  .  x)z, 
where  P  =  Xv  :  N  — ►  A  .  Atn  :  N  .  y(irti;)(t;(7nz/)). 

The  term  n,  which  represents  the  natural  number  n,  is  defined  to  be 

©•(©•(...(cO)...)), 

where  there  are  n  occurrences  of  a. 

As  we  saw  above,  it  is  not  hard  to  show  that 

0  :  N, 

<r:N-N, 

if  :  N  -*  N, 

and 

R  :  (VA  :  Prop)(A  -  (N  -  A  -  A)  -  N  -  A). 

It  is  also  easy  to  show  that 

n  =.  AA  :  Prop  .  A x:A  ->  A  .  A y.A  .  x(x(...(xy)...)), 

where  there  are  n  occurrences  of  x  after  the  last  abstraction, 

7r0  =.  o, 

rr(orn)  =.  n, 

and  also,  for  any  type  A  :  Prop  and  any  terms  M  and  N  of  types  A  and  N  — ►  A  -*■  A 
respectively, 

RAM  NO  =„  Af, 
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and 


RAMN(crn)  =.  JVn(RAMlVn). 

It  is  also  not  hard  to  show  that 

N  :  Prop. 

We  know  that  this  definition  works  in  the  sense  that  we  can  define  all  primitive 
recursive  functions  and  that  the  peano  axioms  hold.  However,  our  knowledge  of 
the  peano  axioms  is  entirely  metatheoretic;  we  do  not  get  the  formulas  representing 
these  axioms  as  theorems  of  TAC.  To  get  the  peano  axioms  holding  formally  within 
TAC,  we  need  to  add  some  new  axioms.  The  first  two  axioms  we  need  are  obvious: 

Peanol  =  (Vn  :  N)(-urn  =N  0) 


and 

Peano2  =  (Vm  :  N)(Vn  :  N)(<rm  =u  ern  D  m  =u  n). 

We  also  need  the  induction  axiom: 

Peano  =  (VA  :  N  -»  Prop)((Vm  :  N)(Am  D  A(crm))  D  AO  D  (Vn  :  N)(An)). 

Since  the  defining  equations  for  +  and  X  follow  from  the  reduction  properties  of  R 
and  rule  (EqM),  it  may  appear  that  we  have  everything  we  need  for  arithmetic. 

However,  we  are  not  finished.  For  although  the  only  closed  terms  of  type  N  are 
known  to  be  natural  numbers11,  so  that  the  axiom  Peano  does  not  really  restrict  the 
domain  of  objects  in  N,  we  do  need  to  be  able  to  talk  about  objects  in  other  types 
which  are  not  natural  numbers.  We  may  even  want  to  create  a  supertype  of  N,  and 
in  such  a  supertype,  where  we  will  have  things  which  axe  not  natural  numbers,  we 
will  want  to  be  able  to  assert  that  an  object  is  not  a  natural  number.  To  do  this, 
we  need  to  be  able  to  say  that  something  is  a  natural  number.  And  so  far,  we  have 
no  way  of  doing  this  that  is  part  of  the  logic;  we  have  only 

M  :  N, 

which  is  definitely  not  the  same  thing.  Thus,  we  need  a  predicate  of  the  logic,  Af, 
which  says  that  something  is  a  natural  number.  The  definition  we  want  is  as  follows: 

Af  s  An  :  N  .  (VA  :  N  — ►  Prop)((Vm  :  N)(Am  D  A(<rm))  D  AO  D  An). 

“Except  for  AA  :  PropA*  :  A  A  .  r;  this  term  is  7-convertible  to  1,  but  not  ^-convertible.  But 
this  term  is  not  really  something  other  th&n  &  natural  number. 
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It  is  easy  to  prove 


Htac  Af :  N  — ►  Prop, 

Htac  M  :AfO, 

f~TAC  iV  :  (Vn  :  N)(A/n  D  Af(trn)), 

for  closed  terms  M  and  N. 

Now  that  we  have  the  definition  of  M,  we  no  longer  need  the  axiom  Peano,  for 
it  is  easy  to  prove12  that  there  is  a  closed  term  M  such  that 

f"XAC  M  :  (VA :  N  — ►  Prop) 

((Vm  :  N)(Am  D  A(am))  D  AO  D  (Vn  :  N)(Nn  D  An)). 

While  this  is  not  exactly  Peano,  it  is  close  enough  for  practical  purposes13. 

This  leaves  us  with  the  axioms  Peanol  and  Peano2.  These  two  axioms  appear 
to  constitute  a  minor  variation  of  the  well-formed  environment  T  of  Theorem  5.2. 
In  fact,  a  similar  proof  gives  us  the  following  result: 

Theorem  5.3  (Q-consistency  of  arithmetic)  IfTis 

C\  :  Peanol,  cj  :  Peano2, 


and  if 


T  Htac  R:  M  =aN, 

where  R  is  a  closed  term,  A  is  a  type  in  Prop,  and  M  and  N  are  terms  of  type  A, 
then 


M  =,  N. 


Corollary  5.3.1  If  T  is  as  in  the  theorem,  then  it  is  consistent;  i.e.,  there  is  no 
closed  term  S  such  that 

r  l-TAC  s  :  -L. 

The  theory  of  arithmetic  we  have  just  seen  is  an  excellent  prototype  for  induc¬ 
tively  generated  free  algebras,  which  can  all  be  defined  by  similar  methods14.  It  is 
not  strictly  necessary  to  have  definitions  for  the  types  and  constants  involved:  the 

nThis  is  not  mentioned  in  [Hue86]  or  [Hue87]. 

13  What  Peano  actually  does  is  to  say  that  the  induction  principle  holds  formally  for  the  type  N. 
We  know  metatheoretically  that  it  holds  for  N,  but  without  the  axiom  Pesno,  we  do  not  have  the 
result  as  a  formal  theorem  of  TAC.  Since  we  do  have  that  formal  knowledge  about  M,  it  is  difficult 
to  imagine  circumstances  in  which  this  formal  knowledge  about  N  would  be  necessary. 

l4Cf.  [BB84]. 
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above  theory  would  work  just  as  well  if  N,  0,  a,  and  R  axe  new  atomic  constants15. 
If  we  do  take  them  as  atomic  constants,  then  Pearto  can  be  interpreted  as  saying 
that  type  N  is  assigned  only  to  terms  in  the  set  AT,  and  so  we  are  justified  in  con¬ 
cluding  the  consistency  of  the  system  with  axiom  Peano  added. 

As  an  example  of  an  inductively  generated  free  algebra,  let  us  consider  lists.  In 
ROMULUS  we  will  use  lists  to  formulate  the  hook-up  security  property.  To  have 
lists  of  terms  of  type  A,  we  need  a  type  List  which,  when  applied  to  A ,  forms  the 
type  ListA  of  lists  of  objects  of  type  A.  We  also  need  the  empty  list,  nilA,  and  the 
function  consA  of  type  A  — ►  ListA  — ►  ListA  which  puts  an  object  of  type  A  at  the 
front  of  a  list  of  objects  of  type  A  to  produce  a  new  list  of  objects  of  type  A.  We 
will  want  to  be  able  to  define  recursively  functions  on  lists  and  objects  of  type  A. 
For  example,  the  function  append  which  concatenates  two  lists,  is  defined  as  follows, 
where  L\  and  L 2  are  lists  of  type  ListA  and  M  :  A: 

appendA(nilA)i2  =  Z2, 

appendA(consAAfLi)L2  =  consAilf(appendAZiZ2)- 

To  take  another  example,  the  function  reverse  which  reverses  the  order  of  a  list  is 
defined  by 

reverse AL  s  flipAZ(nilA), 

where  flip  is  defined  by 

flipA(nilA)i2  =  X2, 

flipA(consAMLi)L2  =  flipAZi(consAMZ2)> 

To  make  definitions  like  this,  we  need  a  term  which  plays  with  respect  to  lists  the 
role  that  R  plays  with  respect  to  N. 

It  turns  out  to  be  possible  to  define  List,  nil,  and  cons  so  that  these  recursive 
definitions  become  possible: 

List  =  AA.Prop  .  (Vu  :  Prop)((A  -*■  u  -+  u)  -*■  u  -*  u), 

nil  =  A  A  :  Prop  .  A  B  :  Prop  .  A/  :  A  — *■  B  — *•  B  .  Ay  :  B  .  y, 

cons  =  A  A  :  Prop  .  Xx  :  A  .  A/ :  ListA  .  A  B  :  Prop  . 

A/  :  A  ->  B  -  B  .  Ay  :  B  .  fx(lBfy). 

lsOf  coarse,  the  reduction  rules  for  R  have  to  be  postulated  in  this  case.  We  can  have  confidence 
that  there  is  no  problem  with  the  strong  normalization  theorem  if  these  new  constants  are  assumed 
precisely  because  we  can  define  all  of  them  as  closed  terms  from  which  the  reduction  rules  for  R 
can  be  deduced. 
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The  intention  is  that  if  L  =*  (xj,  x 2,  . . . ,  xn)  is  a  list  in  ListA,  /  :  A  — ►  B  — *•  5, 
and  y  :  B,  then 

LBfyfxx(fx-i(. . .  (/xny)) . .  .)• 

To  show  that  this  definition  works,  note  that  if  h  :  A  — ►  B  — *■  B  and  M  :  B,  and  if 
g  is  defined  by 

g  =  \l:  ListA  .  IBhM, 

then  g  has  the  properties 


y(nilA)  M, 
y(consAxi)  hx(gL ), 

for  all  x  :  A  and  L  :  ListA.  This  function  g  allows  us  to  define  append,  reverse,  and 
such  other  list  functions  as  length,  mapcar,  null,  car,  and  cdr. 

Just  as  we  defined  M  corresponding  to  N,  so  we  can  define  L  corresponding  to 
List.  The  definition  is  as  follows: 

C  s  AA  :  Prop  .  Ax  :  List  A  .  (Vy  :  ListA  -*•  Prop) 

((Vu  :  A)  (V/ :  ListA)(£A/  D  £A(consAuO)  D  £A(nilA)  3  Cx). 

It  is  then  easy  to  prove 


I"tac  £  :  (VA  :  Prop )( ListA  — *•  Prop), 

l-TAC  M  :  (VA  :  Prop)(£A(nilA)), 
l-TAC  N  :  (VA  :  Prop)(Vu  :  A)(V/ :  ListA)(£A/  D  £A(consAu/)), 

and 


Htac  P  •  (VA  :  Prop)(VB  :  ListA  — *■  Prop) 

((Vu  :  A)(V/ :  ListA)(B/  D  B(consAuI))  D  B(nilA)  D  (V/ :  ListA)(£/  D  Bl)), 

for  some  closed  terms  M,  N,  and  P.  This  gives  us  the  desired  induction  property 
on  lists.  All  we  still  need  are  axioms  corresponding  to  Peanol  and  Peano2: 

(VA  :  Prop)(Vx  :  A)(Vy  :  A)  (VI :  ListA)(Vm  :  ListA) 

(consAx/  =UitA  consAym  D  x  =a  y  A/  =u,tA  m), 

and 

(VA  :  Prop)(Vx  :  A)(Vl :  ListA)(-iconsAx/  =14.^4  nilA). 

A  modification  of  the  proof  of  Theorem  5.3  shows  that  these  two  axioms  are  con¬ 
sistent. 
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5.4  Representing  sets  and  functions 

We  spoke  in  the  last  section  of  the  predicate  Af  of  natural  numbers.  But  most 
mathematicians  prefer  to  think  of  the  set  of  natural  numbers.  This  point  of  view 
is  easily  accommodated  in  the  theory  of  constructions,  since  it  is  easy  to  think  of  a 
predicate  as  a  set16. 

Thus,  suppose  we  have  some  type  U  :  Prop  or  U  :  Type.  Then  we  may  think  of  U 
as  the  current  universe.  Sets  over  U  are  defined  to  be  predicates  of  type  U  -*  Prop. 
More  formally,  we  may  define 


Set u  =  U  —>  Prop. 

In  terms  of  this  definition,  M  :  SetN  and,  if  A  :  Prop,  CA  :  SetunA-  If  A  :  Set u,  then 

we  define  x  €  A  to  be  Ax.  The  set  {x  :  U\E}  is  defined  to  be  Ax  :  U  .  E.  Inclusion 

of  set  A  in  set  B  can  be  defined  by 

A  C  B  s  (Vx  :  U)(x  G  A  D  x  €  B) 

and  the  corresponding  equality  by 

A  =  B  =  ACBABCA. 

A  special  intensional  equality  on  U  can  be  defined  as  follows: 

x  =  y  =  (VA  :  Sety)(x  G  A  D  y  6  A). 

Many  of  the  usual  sets  and  set  operations  can  be  easily  defined.  For  example: 

0  =  {x:  U\L}, 

A  n  B  s  {x  :  U\x  £  A  Ax  6  B}, 

A  U  B  =  {x  :  U\x  G  A  V  x  G  B }, 

and 

~  A  =  {x  :  Uhx  G  A}. 

When  no  confusion  results,  we  can  leave  out  U  and  write  {x|f?},Set,  etc. 

It  is  important  to  remember  the  constructive  nature  of  the  logic.  This  means  that 
the  set  operations  given  above  are  not  exactly  like  those  in  ordinary  mathematics. 
For  example,  we  have 

A  C~~  A, 

18Thu  material  is  based  on  the  work  of  Huet  [Hue86],  Chapter  12  and  [Hne87], 
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but  not,  in  general,  the  converse. 

One  operation  on  sets  that  we  do  not  have  here  is  the  power  set  operation.  For 
the  power  set  of  A,  i.e.  the  set  of  all  subsets  of  A,  is  defined  by 

VA  =  AB  :  Set .  B  C  A, 

and  the  type  of  VA  is  not  Set,  which  is  A  -*•  Prop,  but  instead  Set  — ►  Prop.  Terms 
of  type  Set  — ►  Prop  will  be  called  classes,  and  we  will  give  the  formal  definition 

Classy  =  Sety  — ►  Prop. 

Since  U  can  be  replaced  by  Sety,  all  set  operations  are  also  class  operations.  We 
can  define  other  class  operations,  for  example 

D Cs  {x|(VA  :  Set)(CA  D  x  6  A)}, 

and 

(JC  s  {*|(3 A  :  Set)(<7A  Axe  A)}. 

We  can  also  define  the  singleton  in  terms  of  classes: 

{x}  =  Q(A A :  Set .  x  e  A). 

With  these  definitions, 

M :  SetN- 

We  know  metatheoretically  that  the  closed  terms  which  are  elements  of  the  set  M 
are  exactly  the  closed  terms  of  type  N.  Thus,  the  set  M  represents  the  type  N  in  a 
special  way.  There  is  no  known  uniform  method  of  defining  sets  to  represent  types 
for  arbitrary  types  that  does  not  require  extra  axioms17. 

Most  mathematicians  think  of  functions  as  sets  of  ordered  pairs,  but  this  con¬ 
ception  is  not  really  appropriate  here.  For  we  already  have  functions  built  into  the 
theory  of  constructions  as  primitive.  A  function  is  simply  a  term  assigned  to  a  type 
of  the  form  (Vx  :  A)B.  Functions  can,  of  course,  be  elements  of  sets,  especially  if 
the  sets  correspond  to  types  the  way  Af  corresponds  to  N.  Since  a  set  corresponding 
to  a  type  A  is  a  term  of  type  A  — *•  Prop,  a  set  of  functions  from  type  A  to  type  B 
is  a  term  of  type  (A  — ►  B)  — ►  Prop.  To  say  that  a  function  /  :  JJ  -»  U  is  a  function 
from  set  A  to  set  B,  we  use  the  type 

(Vx  :  U){x  eADfxeB). 

1TIt  is,  of  course,  possible  to  add  an  axiom  of  the  form  AM  for  each  dosed  term  M  :  A,  where 
A  is  a  type  and  A  is  the  set  intended  to  represent  it,  but  many  of  these  axioms  are  likely  to  upset 
the  proof  of  strong  normalization. 
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It  follows  that  the  set  of  functions  from  set  A  to  set  B  is 

Xf  :U  -*U  .  (Vx  :  U){x  €  A  3  fx  G  B). 

If  /  :  U  — >  U,  then  for  A  :  Set  we  can  define 

Preserve/A  =  (Vx :  U)(x  €  A3  fx  €  A). 

In  terms  of  this  operator,  the  induction  axiom  Peano  can  be  written  as 

Peano  =.  (VA  :  N  ->•  Prop)((Preserve  a  A)  3  0  G  A  3  (Vn  :  N)(n  G  A)), 
and  the  definition  of  AT  as 

Af  =,  An  :  N  .  (VA  :  N  — »  Prop)(Preserve  <r  A  3  0  €  A  3  n  €  A). 

This  may  help  to  show  how  to  standardize  the  definition  of  inductively  defined  free 
algebras. 

This  much  set  theory  is  sufficient  for  most  practical  mathematical  purposes,  but 
from  the  point  of  view  of  a  set  theorist  it  is  incomplete.  Its  major  weakness  is  that 
if  A  is  a  set,  VA  is  not  a  set  but  a  class;  in  the  standard  set  theories  it  is  also  a 
set.  To  make  this  a  set,  we  would  need  to  have  Set  include  not  only  the  terms  in 
U  — ►  Prop  but  also  in  (U  -*  Prop)  Prop,  ((U  -*  Prop)  -*  Prop)  — ►  Prop,  etc.  This 
can  be  represented  in  the  theory  of  constructions  as  follows:18  first  define 

Seti  =  U  — *■  Prop, 

Setn+t  =  Setn  -*•  Prop. 

Then  we  want  to  introduce  a  new  type  Set  which  will  be  assigned  to  terms  in  any 
of  the  types  Setn.  This  requires  that  each  type  Set„  be  a  subtype  of  Set. 

There  is  a  general  method  of  making  type  A  a  subtype  of  type  B:  it  is  to  take 
as  an  assumption 

Ax  :  A  .  i  :  A  -+  B. 

From  this  assumption  and  M  :  A,  we  get  (Ai  :  A  .  x)M  :  B,  and  clearly  (As  : 
A  .  x)M  represents  the  same  object  as  M;  in  fact,  it  reduces  to  M.  Assumptions  of 
this  form  have  not  been  considered  so  far  in  the  theory  of  constructions,  and  cannot 
occur  in  well-formed  environments.  However,  they  have  been  considered  in  connec¬ 
tion  with  ordinary  type  assignment;  see  [CHS72],  pp.  453  and  304,  where  they  are 
called  proper  inclusions.  Furthermore,  conditions  under  which  these  assumptions 
are  compatible  with  the  normal  form  theorem  are  given  in  [Sel77]  Remark  2  p.  23. 
It  is  possible  to  extend  condition  (i)  of  that  Remark  to  TAC: 

**Thu  is  not  done  in  [Hue86]  or  [Hue87]. 
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Theorem  5.4  (Consistency  of  proper  inclusions)  Let  T  be  a  well-formed  en¬ 
vironment,  and  let  T*  be  a  sequence  of  assumptions  each  of  which  has  the  form 

Xx  :  A  .  x  :  A  — *  B, 


where  B  is  an  atomic  constant,  the  assumption  B  :  k  occurs  in  T,  and  B  — *■  C  is 
not  a  type  in  T'  for  any  type  C.  Then  any  deduction  of 

I\r'  brAC  M:A 

is  strongly  normalizable  and  both  M  and  A  have  normal  forms. 


Proof  We  begin  by  proving  that  the  required  deductions  are  SN.  Begin  by  replacing 
in  each  assumption  in  T'  the  term  Xx  :  A  .  x  by  a  variable  which  does  not  occur  free 
in  either  I*  or  T',  using  a  distinct  variable  for  each  such  assumption.  The  resulting 
deductions  are  all  SN  by  Theorem  4.14.  Hence,  the  deductions  in  which  we  are 
interested,  which  are  all  obtained  by  substituting  terms  for  variables,  are  also  all 
SN. 

Now  let  us  consider  the  terms  in  these  deductions.  These  terms  may  contain 
redexes  of  the  form 

(Ax  :  A  .  x)M. 

A  contraction  will  replace  this  redex  by  M.  What  we  need  to  know  is  that  this  will 
not  produce  a  new  redex.  This  could  only  happen  if  the  original  redex  occurred  in 
a  subterm  of  the  form 

(Xx  :  A.  x)MNxN2...Nn, 


and  since  the  type  of 


(Ax  :  A  .  x)M 


is  B,  which  is  by  hypothesis  a  new  constant  and  hence  not  convertible  to  the  form 
(Vy  :  C)D,  this  is  impossible.  ■ 


Now,  in  order  to  interpret  a  set  theory  in  which  the  power  set  of  a  set  is  a  set, 
we  need  only  define  Setn  as  indicated  above  for  each  n  >  1,  define  Set  to  be  a  new 
atomic  constant,  assume  Set :  Prop  or  Set :  Type,  and  then  assume 

Setn  :  Set 

for  each  n  >  l19.  It  follows  from  what  we  have  just  proved  that  this  is  consistent; 
for  Set  is  essentially  the  union  of  all  the  Setn,  and  in  any  given  deduction,  it  will  be 
possible  to  replace  Set  by  the  union  of  a  finite  number  of  the  Setn  and  thus  avoid 
using  any  new  assumptions. 

1#This  involves  an  infinite  number  of  assumptions,  but  they  can  all  be  described  in  a  finite 
manner,  and  so  it  is  not  unreasonable  to  suppose  that  this  can  be  implemented. 
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Appendix  A 

LIST  OF  POSTULATES  AND 
SYSTEMS 


Here  are  listed  the  various  postulates  which  have  appeared  in  this  document  and 
the  systems  in  which  they  occur.  A  list  of  the  systems  and  the  number  of  their 
definitions  is  given  in  appendix  2.  The  rules  are  listed  in  the  order  in  which  their 
main  operators  first  appear. 

(  Formation):  TAJ,  TAT 
(-  e):  TA,  TAP,  TAJ,  TAT 
( -*■  i):  TA,  TAP;  (alternate  form)  TAJ,  TAT 
(V  Formation):  TAGU 

(Ve):  TAP;  (another  sense)  NJ*;  (another  sense)  TAGU,  TAC;  (another  sense) 
TACS 

(Vi):  TAP;  (another  sense)  NJ*;  (another  sense)  TACS 

(VJFormation):  TAJ 

(VJe):  TAJ 

(VJi):  TAJ 

(VPi):  TAC 

(VTi):  TAC 

(VUi):  TAGU 

(VaFormation):  TAT 

(Vae):  TAT,  TAG 

(Voi):  TAT,  TAG 
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(=«):  TA;  (another  sense)  TAOS 

«):  TAP,  TAJ,  TAT,  TAG,  TAGU,  TAC 

(s£):  TAP 

(s'"  a):  TAJ,  TAT 

(D  e):  NA  (c)  NJ,  NJ* 

(D  i):  NA  (C),  NJ,  NJ* 

(Ae):  NJ,  NJ* 

(Ai):  NJ,  NJ* 

(Ve):  NJ,  NJ* 

(Vi):  NJ,  NJ* 

(->e):  Derived  in  NJ,  NJ* 

(-ii):  Derived  in  NJ,  NJ* 

(-L  j):  NJ,  NJ* 

(-L  j$):  added  to  extended  TA 
(X  j <pi):  TAJ 
(3e):  NJ* 

(3i):  NJ* 

(3JFormation):  TAJ 
(3Je):  TAJ 
(3Ji):  TAJ 
(e,):  TAJ 
(w,):  TAJ 
(W):  TAJ 
(void):  TAJ 
(x  Formation):  TAJ 
(xe)i:  TAJ 
(xe)3:  TAJ 
(Xi):  TAJ 
(+Formation):  TAJ 
(+e):  TAJ 
(+i)i:  TAJ 
(+i)2:  TAJ 

(Eq“):  TAG,  TAGU,  TAC,  TACS 
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(Eq'U):  TAGU 

(Eq'P):  TAC,  TACS 

(Eq'T):  TAC,  TACS 

(Pe):  TACS 

(Pi):  TACS 

(PPFormation):  TAC 

(PT):  TAC;  (another  sense)  TACS 

(PT  Formation):  TAC 

(TP  Formation):  TAC 

(TT  Formation):  TAC 

(Ai):  TACS 
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Appendix  B 

SYSTEMS  AND  THEIR 
DEFINITIONS 


Here  is  a  list  of  systems  and  their  definitions. 

NA(D):  Definition  3.2. 

NJ:  Definition  3.4. 

NJ*:  Definition  3.6. 

TA:  Definition  2.1. 

Extended  TA:  Remark  after  Corollary  2.2.3  (end  of  Section  2.1). 
TAC:  Definition  4.2. 

TACS:  Definition  4.21. 

TAG:  Definition  2.22. 

TAGU:  Definition  2.24. 

TAJ:  Definition  3.10. 

TAP:  Definition  2.12. 

TAT:  Definition  3.12. 
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